MONETA Money Bank Will Fortify Its Mobile Banking Runtime With App Shielding

There are only a couple of banks in the world that take their mobile banking app security as seriously as MONETA Money Bank does. The bank works on the app security continuously and just recently, they decided to make another essential improvement in this area by hardening their mobile banking app with the App Shielding technology.

As a result, the Smart Banka app by MONETA Money Bank will be the first bank in the Czech Republic that actively fights against the whole range of sophisticated attacks, such as:

  • Malware attacks
  • Vulnerabilities related to rooting / jailbreak
  • Debugger connection
  • Code or Framework injection
  • Application repackaging and app integrity breaches
  • Malicious screen readers or untrusted keyboards
  • Overlay attacks
  • Man-in-the-app and man-in-the-middle scenarios
  • Sensitive embedded key protection (white-box crypto)

Why Does App Shielding Matter?

We believe that App Shielding is a critical requirement for PSD2 compliance. Now, most people view the new PSD2 legislation as an “open banking legislation.” However, PSD2 — or more specifically, the RTS — defines the whole range of requirements on digital banking security. According to our opinion, it strongly implies that App Shielding is a necessary component of any mobile banking app. Now, why is that?

Let’s quote the final version of the RTS:

Chapter II
Article 9
2. Payment service providers shall adopt security measures, where any of the elements of strong customer authentication or the authentication code itself is used through a multi-purpose device, such as mobile phone or tablet, to mitigate the risk which would result from that multi-purpose device being compromised.
3. For the purposes of paragraph 2, the mitigating measures shall include each of the following:
- (a) the use of separated secure execution environments through the software
installed inside the multi-purpose device;
- (b) mechanisms to ensure that the software or device has not been altered by the payer or by a third party;
- (c) where alterations have taken place, mechanisms to mitigate the consequences thereof.

This excerpt implies that banks are responsible for implementing security measures to make sure that the mobile device was not altered, the app was not modified at rest or in runtime, and that the application cannot be tampered with by the payer or any other third party (for a malicious reason or not). The App Shielding is a natural and the most straight-forward way to cover this requirement.

We are happy to see that MONETA Money Bank does continuous steps to stay compliant and — mainly — ahead of their cyber adversaries. And we are even happier that they decided to work on these topics with Wultra.