Most people view the new PSD2 legislation as the “open banking legislation.” However, PSD2 — or more specifically, the RTS (regulatory technical standards) — defines much more: a range of requirements on digital banking security. These requirements concern both banks and third parties. The subject that is especially pronounced is the topic of mobile application security.
Hardening the Fragile Mobile Runtime
Now, mobile apps are under the regulator’s scrutiny for a good reason. Any security-related code, such as SCA related cryptography or code related to secure network communication, runs in a mobile operating system, such as iOS or Android. While Apple and Google do their best to build secure software, hackers always find a way to bypass the system security features. General availability of jailbreak/rooting is a living testament to this, as well as the rise of Android mobile malware.
When running in a vulnerable OS, apps can be manipulated by an attacker (for example via mobile malware, or techniques such as “trust-jacking”) that is either:
- armed with a rooting framework (and hence can penetrate through the sandboxing features of a mobile OS, even on devices that were not previously rooted by the user), or …
- merely misusing some of the commonly available system interfaces, such as an ability to install own keyboards or screen readers in the system.
As a result, mobile apps with high-security requirements cannot rely on the OS security features. Instead, they need to protect themselves with advanced obfuscation, app integrity checks and proactive anti-tampering features.
These sophisticated security features are sometimes called RASP (runtime application self-protection), or using a more human term: “App Shielding”.
Apps that are protected with App Shielding can mitigate the whole range of sophisticated attacks, such as:
- Malware attacks
- Vulnerabilities related to rooting/jailbreak
- Debugger connection
- Code or Framework injection
- Application repackaging and app integrity breaches
- Malicious screen readers or untrusted keyboards
- Overlay attacks
- Man-in-the-app and man-in-the-middle scenarios
- Sensitive embedded key protection (white-box crypto)
Compliance with PSD2 Regulatory Requirements
App Shielding not only makes your app more secure, but it is also a critical requirement for the PSD2 compliance. Let’s quote the final version of the RTS to illustrate why:
2. Payment service providers shall adopt security measures, where any of the elements of strong customer authentication or the authentication code itself is used through a multi-purpose device (note: such as mobile phone or tablet) to mitigate the risk which would result from that multi-purpose device being compromised.
3. For the purposes of paragraph 2, the mitigating measures shall include each of the following:
- a) the use of separated secure execution environments through the software
installed inside the multi-purpose device;
- b) mechanisms to ensure that the software or device has not been altered by the payer or by a third party;
- c) where alterations have taken place, mechanisms to mitigate the consequences thereof.
This excerpt implies that banks are responsible for implementing security measures to make sure that the mobile device was not altered, the app was not modified at rest or in runtime, and that the application cannot be tampered with by the payer or any other third party (for a malicious reason or not). The App Shielding is a natural and the most straight-forward way to cover this requirement.
Cost Efficient Security Without a Hassle
Now, the usual concern when implementing any new security features is the complexity of integration and impact on development resources. From this point of view, the App Shielding seems to be an exception. The App Shielding can be integrated into a mobile banking app automatically, without the need for programming, and with close-to-zero impact on development resources and project timeline.
Of course, if the app developer decides to make more of the App Shielding features, it is possible. An “App Shielding SDK” can be implemented into the mobile banking app later on in order to allow precise handling of selected problematic scenarios or to integrate with a fraud detection system.
We have already brought you case studies of how Raiffeisenbank uses App Shielding in their new Mobile eKonto app, or how MONETA Money Bank makes their best-in-the-market mobile banking app even more secure with App Shielding.
But it does not stop there. What we are seeing is that almost every bank we talk to considers deploying App Shielding in their mobile apps, or already has the App Shielding in their “security repertoire” (either in production or under development). Therefore, the App Shielding becomes a de facto standard in the mobile banking security.
We believe that in a year, every mobile banking app will be protected with this type of runtime protection. And it is a good thing. The digital banking ecosystem will become safer.