Mobile App Security

Importance of Mobile App Security

Developers understand the importance of mobile app security, but this is not universally understood. Beyond a rising rate of mobile fraud, there are several other reasons that financial institutions should take mobile app security seriously and commit to developing a comprehensive strategy.

Consumers need to be wary of the information they disclose and the data they download when surfing the internet, but business professionals need to be vigilant as well. Mobile devices are almost always on, always nearby you, and store astounding amounts of personal information as well as sensitive data and documents. This can make them a treasure-trove for attackers.

Mobile apps may be presumptuous in the permissions they ask for. Why might a weather app need access to your camera or microphone for example? And might an attacker find a vulnerability in that app that grants them access to the camera or microphone in order to conduct industrial espionage?
 

Mobile App Security Threats

Mobile applications connected to business brands are often targeted by fraudsters to either exploit their customers, their customers’ children, or attack the business itself. Should a mobile malware attack target a user’s device, the consequences could include:

• Account takeover
• Stolen login credentials
• Stolen and resold credit card details
• Unauthorized access to business networks
• Identity theft
• The iOS or Android device could spread malware to other devices
• SMS messages could be copied and scanned for private information
   

Benefits of Mobile App Security

Mobile applications generate a tremendous amount of data about us and our lives. So, ensuring apps create and use this information in a secure way is paramount. Otherwise, insecure applications are an easy route for a malicious act to steal and sell your personal information.

In addition, there are other mobile solutions that can deliver significant benefits.

• Identity Verification
  Identity verification helps prevent an attacker from stealing users’ identities and signing up for accounts under their name. A robust identity verification process validates that the user is who they say they are and helps prevent an attacker from committing fraud.
• Strong Authentication
  Account takeover is a common problem, and passwords are quickly becoming obsolete. Due to large data breaches of the last ten years, many username password combinations are already available for sale on the Dark Web. Strong authentication methods ensure that only legitimate users are accessing their accounts and attackers can’t log-in for nefarious purposes.
• Biometrics
  Biometrics  are a secure and convenient way to log-into mobile apps using data derived from your own body. There is no fool-proof way to determine who is entering a password. The app developer can only determine whether the password entered matches the password key in the back-end of the system. Biometrics includes an additional indicator of trust, because it validates the individual offering the biometric sample for verification. Because the fingerprint, face recognition, or iris scan is presented live and connected to the in-the-flesh user.
   

Mobile App Security Best Practices

The best practices for counteracting mobile malware and establishing a strong mobile application security strategy differ depending on whether we are discussing consumers or businesses.

Business Best Practices

Businesses have multiple ways to reduce their risk of mobile attack and data breaches, including:

• Deliver Digital Security Training: Train your team to recognize security issues and avoid risky behavior, spot phishing, and other cybersecurity strategies. Then keep their skills sharp with unannounced test phishing emails, texts, and other communications. They should appear in all ways like a typical phishing message, but if the employee clicks, they are automatically registered for the data security training module. Verizon reported that the majority of phishing attempts on Mobile are SMS messages and social messaging, as opposed to email, so it is important to vary the phishing medium as well as the content.
• Acceptable Use Policy: It is valuable for businesses to publish a clear and comprehensive acceptable use policy for mobile devices that will contain or access business data. Prohibit employees from downloading apps from third-party app stores and establish other security best practices in writing. In addition, you could create an app-vetting process to formally review and select appropriate and secure applications for your team.
• Proactively Monitor for Rogue Apps: Regularly search both legitimate and illegitimate app platforms for any apps that bear your organization’s name, logo, or messaging. Contact the platform to remove any rogue apps as quickly as possible.
• Deploy a Mobile Security Suite: The OneSpan Mobile Security Suite includes a large set of essential security features, including mobile app shielding.
• Ensure Security Best Practices: Each application should be developed with security in mind. Ensure your developers are familiar with mobile app security best practices and frameworks such as the OWASP Mobile Top 10. From there, conduct regular automated mobile app security testing throughout the SDLC as well as periodic, deeper penetration testing. Finally, deploy an additional layer of security, App Shielding, to protect the app at runtime and in potentially hostile (out of date, insecure phone) environments that put the app at risk.
   

Evaluating In-App Mobile Security Providers

Many financial institutions leverage experts like OneSpan to provide security for their mobile banking application. Before selecting your security provider, it is important to look for these attributes:

• Banking Experience:
  Financial institutions face a higher risk of fraud and possess a tremendous amount of personal information on their customers. Make sure you select a vendor who understands the unique needs of the industry.
• Cutting-edge Solutions:
  Fraud schemes are always evolving to circumvent the latest security systems. Ensure that your security provider maintains active development and regular updates to their security solution.
• Balances Security and the User Experience:
  Security is truly a balancing act between the security and the usability of the application. If the app requires too many authentication challenges or applies too much friction to individual transactions, banking customers are less likely to use the application. However, if there is not enough friction, it leaves the application vulnerable to fraud. Choose a vendor who understands this balance.