Securing Financial & Enterprise Mobile Applications

Ever since Apple introduced the iPhone, we have seen dramatic changes in our personal and work lives. Mobile and tablets have today become indispensable aspect of our everyday lives. Mobile usage trends and consumer behaviour is changing dynamically, thanks to the rapid innovation in technology and mobile application development.

Financial companies & enterprises have started realizing the importance of mobilizing and empowering their customers & employees. While financial companies are using mobile as a tool to engage their customers and enhance their experience, enterprises are relying on tablets to increase employee productivity and operational efficiency.

Enterprises are deploying mobility solutions to empower their employees with quick access to information as well as to automate internal processes which will reduce manual errors and delays. However, for most enterprises, security remains a major concern and a continuing barrier to the effective implementation of mobility strategy.

As financial companies & enterprises have begun mobilizing applications, employees have also started using their own devices to access data and complete their day to day tasks. On the other hand, customers are using their devices to access financial data & carry out banking transactions.

Enterprises are currently at crossroads as they are yet to figure out the best way to manage data security as the whole ecosystem is still in a nascent stage and only evolving. The key is to choose an implementation which will enhance user experience without compromising the enterprise security.

Below are some of the top security threats faced by mobile applications:

Mobile attacks happen across points

• Browser
• Apps
• Malware
• Network
• Webserver
• Database

Let us now look at a few cases based on the above mentioned access points:

Browser

Client Side Injection

• Applications using browser libraries such as HTML and XML stand several risks

including device compromise and toll fraud

Phone

Insecure Data Storage

• Data that is stored locally and that is synced to the cloud – threats due to insecure

data storage are 1) loss of confidential data 2) Credential disclosure

App

Side Channel Data Leakage

This is seen when there are programing flaws along with a scenario when the platform features are disabled. This leads to privacy violations

Reverse engineering of the code

• This is a threat which is still evolving but definitely something to watch out for. If the code of the application is reverse engineered it will enable the hacker to get access to the flow of the application and it will help him create a duplicate version of the same

Malware

Untrusted Inputs taking Security Decisions

• Malicious apps and client side injections normally cause such attacks which lead to loss of data (Passwords for example), and privileges

Network

Improper Transport Layer Protection

• Weakly encrypted data might lead to attacks like ‘Man In the Middle’, tampering of data in transit leading to the loss of confidential data.

Network

Improper Session Handling

• Since the sessions are much longer in the case of mobile applications compared to web applications and since mobile applications use HTTP cookies & SSO authentication, the chances of unauthorized access to applications & payments & licenses are high which is one of the most serious threats

Webserver

Weak Server Side Controls

• Backend services might not be configured properly which normally affects the integrity of the data being transferred

Database

Poor Authorization and Authentication

• When immutable values (UUID, IMEI, IMSI) are used in the code to develop an app, chances of it being compromised is high. Hence it faces the risk of unauthorized access & privilege escalation

It is the highly recommended to take adequate measures to safeguard application from these threats before it is made available to the customers & employees.

Based on our experience working with a vast client base across verticals, we will be sharing a few best practices to tackle these security issues in our upcoming blog post.

By Kiran Elengickal
To contact the author, mail to: kirane@rapidvaluesolutions.com