Financial Crime World

Securing Mobile Applications: Lessons from a Bank’s Security Assessment

Introduction

The rapid growth of mobile banking apps has created new opportunities for financial institutions to reach their customers. However, this increased exposure also raises significant security concerns. In this article, we will discuss the key takeaways from a comprehensive security assessment conducted by Cossack Labs on a bank’s mobile application.

Security Threats Identified

The security assessment revealed several vulnerabilities in the app, including:

  • Phishing attacks: The app was vulnerable to phishing attacks, which could compromise user credentials.
  • API abuse: The API used by the app was not properly secured, making it susceptible to unauthorized access and manipulation.
  • Unauthorized redistribution: The app allowed for unauthorized redistribution of sensitive information.

Recommendations for Improvement

The security team proposed a range of recommendations to address these issues, including:

Secure Coding Practices

  • Improving secure coding practices to prevent common web application vulnerabilities such as SQL injection and cross-site scripting (XSS).
  • Implementing additional security controls to protect against malware and other types of threats.

Anti-Fraud Measures

  • Enhancing the anti-fraud system by capturing more events from the application, including attestation checks, user events, and system events.
  • Introducing reverse engineering protections to make debugging and decompilation more difficult.

User Education and Support

  • Educating users on how to identify real applications and providing a bank support line for quickly blocking accounts.
  • Enhancing device binding logic to detect when a user switches between different phones or when several users use the same phone.

Advanced Security Improvements

The security team created a list of advanced security improvements for upcoming app releases, addressing application security, operations security, and regulatory compliance. These included:

  • Following the Secure Software Development Life Cycle (SSDLC) to ensure secure coding practices throughout the development process.
  • Implementing a Vulnerability Disclosure Policy to encourage responsible disclosure of vulnerabilities by external parties.
  • Using security.txt to cooperate with security researchers and receive early notifications of potential security issues.

Conclusion

The security assessment highlights the importance of prioritizing security in mobile applications, especially in the fintech sector. Regular security assessments and ongoing security improvements are crucial to prevent attacks and protect sensitive information. By following these recommendations and staying up-to-date with the latest security best practices, financial institutions can ensure the integrity and trustworthiness of their mobile banking apps.