Huawei AppGallery: Security Considerations For Releasing Mobile Banking Apps
Huawei, a global provider of ICT infrastructure and smart devices, has been in a negative spotlight lately. Many national security agencies have flagged this company as a potential security risk, with some countries imposing sanctions to impede Huawei’s operations. Banks are considered critical infrastructure in most states. As a result, they need to evaluate their approach to Huawei, especially in the context of smartphones and portable devices their customers use to access digital banking. At the same time, they cannot merely ignore Huawei because it is currently the biggest smartphone vendor with a global smartphone market share of approximately 20%.
The national security agencies are relatively vague in their recommendations. This may be intentional since providing industry-specific advice is complicated. As a result, banks and financial companies are often missing specific guidelines for dealing with Huawei-related questions. They often need to seek help and practical consulting from external cybersecurity experts.
The question they ask the most is the following:
Should we release our mobile banking to the Huawei AppGallery, and if we do, should we also invest in integrating Huawei Mobile Services (HMS)?
It is not easy to answer this question with confidence for various reasons. Besides considering the security of the Huawei ecosystem and potential privacy risks, one must also consider the cost impact of maintaining the mobile app on a third marketplace. On the other hand, it is also impossible to ignore the large user base with Huawei devices. Huawei is currently the largest smartphone vendor worldwide. Based on the claimed sales figures, we assume the Huawei devices are likely to stay.
While we frame our recommendation in the context of the ongoing global conversation concerning Huawei, we would like to point out that many of the suggestions we make are beneficial in general. Banks should consider them even if they do not plan to take any special precautions specific to Huawei devices.
After evaluating factors that we outline in the report, we recommend the following:
- Banks should release their applications to the Huawei AppGallery only if they are able to implement additional active in-app protection measures outlined below.
- When releasing apps to the Huawei AppGallery, banks must implement at least the following security measures:
a) Repackaging protection — Ensures application bundle integrity so that the app functionality cannot be modified using “at rest” approaches.
b) Runtime application self-protection (RASP) — Ensures the application cannot be tampered with during runtime by injecting foreign code via the debugger, native code hooks, or via the framework injection.
c) Anti-malware protection — Ensures that the application can actively detect and respond to a malware infection on the device.
d) User data protection hardening — Ensures that user data cannot leak using various channels, such as unencrypted connections (TLS/SSL), accessibility services, custom keyboards, etc.
- Banks must assess the risks related to possible social and demographic profiling of their customer base by Huawei and evaluate the commercial trade-off between extending the app user base and sharing data with Huawei.
- Banks who decide to release an app on AppGallery should carefully consider their investment in implementing HMS. We suggest releasing mobile banking without HMS despite losing some functionality to minimize the amount of data shared with Huawei, as well as initial costs for the third store overhead.
- Banks who decide to release an app on AppGallery should implement a quarterly security review procedure to closely monitor development around Huawei, specifically for signs of fundamental technology (Kirin) or software quality (HMS) degradation and evaluate Common Vulnerabilities and Exposures (CVEs) found in the Huawei mobile ecosystem.
- Banks who decide to release an app on AppGallery should identify high-value targets in their customer base and meticulously monitor potential account breaches and other risks associated with their mobile devices.