Mobile banking apps: A guide to mitigating fraud

According to the American Banking Association, 48% of Americans favor banking via a mobile device, and 45% do so at least once a day. But mobile banking apps aren’t drawing the attention of users alone—threat actors and regulators are paying close attention too. And while the target can be any size, the cost of insecurity is always sizable.

So, let’s explore some common attack vectors, recent trends, and, most importantly, look at how you can strengthen your mobile app's security posture.

The biggest threats to your mobile banking app's security

While this certainly isn't an exhaustive list, it should give you a good idea of the kind of the threats—to both your mobile app and your end users—on the horizon.

• Mobile banking trojans are specialized malicious programs that steal login credentials and financial data from mobile banking apps. They can enter the app in various ways, including as app downloads. Once inside, they compromise the app's security.
• Fake banking apps imitate legitimate mobile banking apps to trick users into sharing their logins and sensitive financial information. They’re usually distributed through unofficial app stores or phishing websites.
• Man-in-the-middle (MitM) attacks involve the interception and manipulation of the communication between the app and its server on environments like public Wi-Fi networks.
• App overlay attacks (clickjacking) involve malicious actors overlaying deceptive elements over app buttons to trick users into performing unintended actions.
• Keylogging malware captures keystrokes and steals sensitive information like logins and personal details.
• Abuse of Android Debug Bridge (ADB), Magisk, Frida on a rooted device can be exploited by attackers to disable security mechanisms and perform malicious actions.
  
  

What makes banking apps an easy target?

1. Design flaws

Developing a mobile app is a feat in and of itself. Developing a mobile banking app, much less a secure one, is a different challenge altogether. Common mistakes include:

• Inadequate input validation: It allows attackers to inject malicious code.
• Weak session management: It results in unauthorized access to user accounts.
• Insufficient error handling: It can reveal sensitive information to potential attackers.
• Poorly implemented access controls: They lead to unauthorized actions within the app.
• Lack of secure coding practices: They leave the app vulnerable to various attacks.

And this really is just the tip of the iceberg. Design flaws abound in financial services apps, but these are the most common stumbling blocks. 

Read more: Addressing the OWASP Mobile Top 10 (2024)

2. Application deployment errors

Deployment issues—like build failures, unsupported app types, or timeouts during deployment—can leave apps exposed to multiple layers of attack.

3. Coding errors

Hackers exploit unauthorized code modifications to disable security and validation controls, bypassing licensing restrictions, inserting malware, and even changing purchasing requirements or ad displays in the app. They could also be used to release a cracked version of the app without any licensing and validation checks.

4. Relying on OS security

Much like most households rely solely on one lock on their door, it’s easy for app developers to assume the default operating system’s (OS) security features will be enough. The truth is that often it isn’t enough, not by a long stretch. You could compare it to a criminal who breaks into houses every day—a basic lock isn’t going to deter them, even if it’s a very well-made lock from a reputable manufacturer.

5. Cloned apps

Malicious actors are getting skilled at cloning apps, creating copies laced with malware, ready to steal data the moment they get a chance. It’s hard to detect such fake apps—meaning users suffer a poor user experience alongside data theft and your reputation takes a hit.

6. Android malware

Banking malware is increasingly targeting Android devices. These types of attacks increased by 32% in 2023. Malicious apps exploit accessibility service to capture and record screen and inject UI, stealing login credentials and financial data.

7. Supply chain surprises

Instead of reinventing the wheel, developers rely on third-party components, but it’s not unusual for these elements to have vulnerabilities. And when an ingredient in your app’s recipe is vulnerable, so is the app.

Criminals’ strategies are evolving, but they haven’t got the monopoly on change and innovation. So, next we’re looking at the important developments that define the best next steps, as well as where the industry might be headed next.

How mobile banking security is evolving

Digital banking is an exciting field right now. It’s home to some truly inventive approaches that fuel an exhilarating, fast-paced development cycle.

This is all great… as long as security advancements keep up with the innovation and stringent security regulations. Here are some important advancements through a security lens:

1. Open banking

The rapid adoption of open banking is allowing customers to securely share their financial information on their own terms with a provider of their choice. With your permission, users can choose to share their data with a third party, enabling them to better manage their finances or see all their accounts in one place. While this drives innovation in the financial sector (and new tools and apps are emerging all the time), sensitive data is at risk without supreme data protection and solid verification.

2. Digital wallets

Being able to pay with any card, while your wallet sits at home, is liberating for customers. And the COVID-19 pandemic saw a hyper-accelerated adoption of contactless payment methods. Biometric verification may make digital wallets feel very safe to the end user, but malware or cloned apps can intercept sensitive data. This can lead to identity theft or malicious actors stealing data.

3. Superapps

Swiss army knives of the app world, Superapps integrate multiple services under one single app and are appearing in the financial services sphere. But where there’s more functionality and more services, there’s potentially more data to be exposed—and all it takes is a single breach.

Security requirements for mobile banking apps

While we couldn't possibly cover all the relevant regulations, here's an overview that illustrates some of the ongoing changes:

1. PSD2, PSD3, and PSR

Many of you saw how the second payment services directive (PSD2) shook up mobile banking apps in the European Union (EU) via stricter regulations. It mandates multi-factor authentication for payments and account access, and sets stringent controls for data storage and secure communications. It also aimed to boost innovation by green-lighting open banking.

PSD2’s successor, PSD3, is on the way. It is expected to have a wider scope, touching on cryptocurrency, consumer protection, and emerging technologies, among other new technologies.

2. GDPR

In force since 2018, the General Data Protection Regulation (GDPR) aims to protect user data storage and usage, while making sure that users—instead of companies—are in control of their data. Its nuances include privacy by design, and the fact that businesses must request and receive user consent in order to collect, use, and move personal data.

3. Safe Apps and AppSec

In the Asia–Pacific region, countries like Singapore and India have regulations like the Safe Apps standard and the application security (AppSec) framework that focus on ensuring mobile app development is secure. They set out best practices across important aspects like authentication, authorization, data encryption, and secure coding.

Best practices to improve mobile banking app security

So, how can you keep competing and growing while ensuring robust protection of your business and your clients? For a strong app security posture, you need a more comprehensive approach.

1. Follow secure coding practices: The Open Web Application Security Project’s (OWASP’s) recommendations are a positive foundation for app security, but they’re not a silver bullet. They should be where your considerations start, not end.
2. Implement end-to-end encryption: This secure communication method encrypts all data transferred between two devices or systems and prevents any other parties from hacking or accessing that data.
3. Perform regular audits: Keep users and developers safe from potential security risks by conducting regular security audits. This will help protect your apps from any evolving cyber threats, maintain user trust, and comply with industry standards.
4. Release regular updates: Also known as patches, these updates will both fix known vulnerabilities and protect users from known threats.
5. Integrate authentication and authorization: This is crucial, so you can make sure only authorized users can access sensitive information or perform transactions. Without it, mobile banking apps are vulnerable to security breaches and data leaks, alongside other cyber threats.
6. Prevent tampering and protect IP: Mobile anti-tampering protects your mobile banking app against both static and dynamic modifications to the app like re-signing the app. It also helps protect your intellectual property and sensitive user data.
7. Follow regulatory standards: They play an essential role by setting standards that developers must adhere to. Regulations help make sure that your app meets an established level of data protection, privacy, and overall security. Demonstrable compliance is huge in terms of client trust and retention.
8. Invest in mobile app shielding: Empower your business with a patented, dynamic defense mechanism against reverse engineering and unauthorized code manipulation. This is a strategic choice for fortifying mobile apps against the growing sophistication of AI-driven threats.

Is secure development and detection enough?

It’s easy to think that secure coding will keep your app safe. It’s even tempting to imagine that robust detection will give you a chance to stop any attacks in their tracks.

But the reality is quite different.

It comes down to this: if you’re not adding extra layers of security to your development process, you’re putting the attack game on easy mode for cybercriminals.

What do those extra layers look like?

• Data encryption: It shields sensitive data in the app. Therefore it can help safeguard account details and API keys. This is important because it means that even if threat actors can get to it, they can’t use it.
• Code obfuscation: It scrambles code, meaning attackers struggle to get insight into how the app works because it becomes harder for them to work out how to exploit its vulnerabilities.

The case for multi-layered security

Mobile banking apps represent a win-win for banks and users. But data security is paramount, especially with new elements like open banking adding complexity.

To stay competitive, you need robust mobile banking app security solutions that go beyond the basics. A multi-layered defense, tackling the broad spectrum of challenges that the financial services sector faces should help you to:

• Achieve regulatory compliance without compromising on an excellent user experience.
• Shield vital, sensitive components like API keys, certificates, and user credentials.
• Guard against reverse engineering and protect your app's intellectual property.
• Keep user data secure and mitigate the escalating threat of mobile malware.