Mobile payments: protecting applications as mobile threat evolves
Tom Lysemose Hansen, Founder and CTO, Promon
As smartphone and tablet usage becomes ever more commonplace in our increasingly mobile world, more and more people are choosing to use their mobile devices to pay for products and services. While a highly convenient and, on the whole, secure way to make purchases, it’s not without its risks.
Inevitably, increasing mobile usage has led to a growing number of cybercriminals seeing the popular mobile channel as a lucrative opportunity to make a quick buck. With dangerous threats such as MazarBOT, XcodeGhost and Acecard just a few recent examples, it’s clear that businesses need to be prepared to protect their apps.
Where do the vulnerabilities lie?
Hackers are constantly devising new ways to attack mobile payments, so it is crucial to always stay on top of which part of the mobile payment process they are targeting. However, there are three critical attack points that organisations should be aware of in the first instance:
- Application risks: this involves cybercriminals exploiting weaknesses in the mobile payment app itself, and can include insecure app coding practices, app hacking or reverse engineering, and the theft of cryptographic keys
- Device risks: this is when hackers look to capitalise on vulnerabilities in the user’s device, such as through attacking rooted or jailbroken devices or outdated OS security, or by installing malware
- Session risks: this involves would-be thieves taking advantage of insecure internet connections, employing SMS forwarding techniques or taking over a user’s mobile account
What techniques do hackers use?
Broadly, cybercriminals employ four key techniques to help them break into an app and steal valuable customer data. These include:
- Searching for security vulnerabilities through static and dynamic analysis of an app
- Attempting to hack applications by introducing malicious code during runtime of an app
- Deploying dangerous malware that is capable of stealing customer credentials
- Eavesdropping on apps on unsecure devices, such as rooted or jailbroken smartphones, to capture personal details through keylogging or screenshot procedures
How to protect your apps
Fortunately, the ways of combating this growing breed of cybercriminals are evolving in a similar manner to the threats themselves. Below, we have listed what we recommend as the key methods of making mobile payment apps secure from external attacks.
App hardening, such as that offered by Promon SHIELDTM, involves inserting code into an app which makes it self-defending. This approach is a hugely effective one, as it means that regardless of any security vulnerabilities in a user’s device or internet connection, the app itself is able to fight off any external intrusions. This also reduces the need for holistic static and dynamic testing of apps.
Creating a secure software keychain inside your app. In most circumstances, software keychains are provided by the OS of the smartphone or mobile device. However, organisations should realise that it’s now possible to implement a software keychain inside the application itself, which enables a higher level of security by ensuring the all-important cryptographic key remains inside the app itself.
Encourage best practice amongst users. As mobile users tend to be technology-savvy, encouraging them to be as careful as possible in how they use their mobile apps is also essential. Some recommendations include:
- Only download mobile apps from official app stores
- Ensure that phone settings do not allow for the download and installation of unapproved apps
- Ensure that transactions are secure when using mobile apps, by making sure that banks, retailers and credit card providers have safeguarded their apps against external threats
- Avoid mobile payments over unsecured public Wi-Fi connections