Mobile Application Security
Payment Services Directive 2 is the new regulatory standards requires to payment service providers to follow and integrated for secure and efficient payment process. A&B Money have Apps service provided to our customer under Google Play and Apple App Store which is affect directly by PSD2 under Subject of Common and Secure Communication (CSC).
To follow the PSD2 Compliance, A&B Money must update the Mobile Apps security to support the requirement of PSD2. The main thing of PSD2 is to protect consumers and to make the use of payment services safer. To meet these requirements, A&B Money should add security capabilities to the mobile apps for protect against known and unknown treats on users’ devices. At the same time, mobile banking apps should be able to detect when they are installed on risky devices and block access until those risks have been remediated.
Security Implement must have in any apps of A&B Money
-
Mobile devices with access to the operating system are not permitted. (rooted / jailbroken) Access the app. To reduce the risk that malicious people can access the information of importance of service users and violate or avoid security measures provided by the service provider.
-
Mobile devices running obsolete operating systems are not allowed. There are serious vulnerabilities announced by the international security agency. And affect the use of a broader user access to the application in case of obsolete OS There are other vulnerabilities that do not affect the broader user. There should be measures to mitigate the risk of the service provider. And service users as appropriate, such as notification of service users, limiting transaction limits and increasing Identity verification measures
-
requesting access to resources or services by the application (application permission) on the user's mobile device as needed and there is a review process for permission. This is done regularly to prevent violations of the privacy rights of the users.
-
Prevent important source codes such as money transfers, authentication, from Leaked from the application to reduce the risk that the malicious person modifies the source code.
-
Prevent the implantation of sensitive information or malicious code. On the application
-
Files encryption that is stored for Important information on mobile devices of users to protect information Significant loss of customers.
-
Users are not allowed to use lower versions of the application. More than that specified by the service Provider To provide the application with a security that meets the standards of the service provider.
-
Prevent Distributed denial-of-service (DDoS Attack) attacks. At the network layer (network layer) to protect the system from attacks and cannot provide services.
-
Prevent threats from being intercepted or altered during transmission. (Man, in the Middle Attack) by confirming identity by Certificate Pinning technique or equivalent method, enforcing TLS version, use of secure communication channels (secure protocol) to transmit data.
-
Prevent the identity of customers (Session Hijacking) and keylogger in mobile apps.
-
Prevent unauthorized access to the host computer (server). Such as SQL Injection, Local File Inclusion or Directory Traversal. To reduce the risk of information leaks and system attacks.
This issue occurs in some mobile devices that have Android platform installed. Screen Overlay is a special permission granted to Android apps, with the help of which, apps can appear on top of another app screen. Nowadays, almost every app is using this permission to enhance its user experience.
A&B Money takes privacy too seriously and how we handle personally identifiable information (PII) to protect your personal information accessed through A&B Money App. We block the operation of A&B Money App on devices that Root and jailbreak.
Memory corruption bugs are a popular mainstay with hackers. This class of bug results from a programming error that causes the program to access an unintended memory location. Under the right conditions, attackers can capitalize on this behavior to hijack the execution flow of the vulnerable program and execute.
Secure Storage + Device Binding
Secure storage can be used to store sensitive information such as passwords, keys, certificates, etc. All the information in the secure storage is in encrypted format. And only access to your own secure storage
Identifying possible entry points for untrusted input then tracing from those locations to see if the destination contains potentially vulnerable functions. Identifying known, dangerous library / API calls (e.g., SQL queries) and then checking whether unchecked input successfully interfaces with respective queries.
Detect that your application is deployed in a compromised environment and take preventive actions (e.g., terminate the application). Disallow the use of non-standard/non-official keyboards from within your application.
The screen magnifier, braille output device, on-screen keyboard should be detected, voice recognition, etc.
Debugger & VM Debuggers Prevention
Anti-debugging is an anti-analysis technique that is used by malware to check if it is being debugged. Malware authors use many techniques to prevent and or slow the reverse engineer from debugging their code.
Runtime Protection – Integrity Check
They can protect themselves from runtime analyzes and live attacks. Mechanisms monitor the health of applications and the environment in which they are running in real time. When a threat is detected, the application will respond in a pre-programmed manner. Possible reactions range from showing security alerts to terminating user sessions and applications, in addition to helping secure communication between the mobile application and the server.
To prevent protected applications from running within the emulator. (Simulated Environment) To prevent mobile apps from running on emulators, an effective emulator must be detected first.
Renaming functions, methods, classes to use less descriptive names. Additional techniques include deleting debugging information such as type, source file parameter and line number, as well as deleting annotations.
It actively detects malicious key logging, screen readers, repackaged applications, debuggers, and emulators, and jailbroken or rooted devices. It can then react to prevent screenshots, block screen duplication, or enable customized actions based on business policy (i.e. Application shut down).