Mobile apps vulnerable to breaches, experts warn

As Black Friday, Shop Small Saturday and Cyber Monday draw near, security analysts are warning merchants and consumers to protect personal information and payment card data online, in stores and in mobile apps throughout the holiday season.

Rich Scott, chief commercial officer at EZShield and IdentityForce, said payments industry stakeholders need to rethink security in an increasingly mobile-first world. "People tend to feel safer when transacting on their mobile device," he stated. "But mobile devices can be a gateway to identity theft and corporate data breaches, and apps are susceptible to malware, spyware and privacy exposure."

Scott said EZShield launched a new solution, Mobile Defense Suite, to protect consumers and merchants from potential security incidents and data breaches. The solution includes mobile app monitoring, attack control and attack recovery. These dynamic, real-time solutions are more effective than vulnerability management, anomaly detection and intrusion prevention, he said.

Shield, harden mobile apps

Sam Bakken, senior product marketing manager at OneSpan recommends shielding mobile applications to protect them from hackers and malicious exploits. "App shielding forms a protective barrier around the app, making it a secure island in potentially hostile seas," he said.

While numerous app shielding solutions are available in the marketplace, Bakken cited three key capabilities in the most effective applications:

• Resistant to reverse-engineering, repackaging: Criminals frequently try to reverse-engineer app code to understand how it works, Bakken explained. Obfuscation and cryptography can make it more difficult for attackers to access the app's operating system or launch a re-packaging attack, whereby an attacker downloads a legitimate version of the app from the app store, adds malicious code and then distributes it to unsuspecting users.

• Advanced monitoring, detection: Runtime monitoring or detection will alert users when an app is executing in an insecure environment, such as a jailbroken or rooted phone. Runtime protection also detects malware such as overlay attacks, keyloggers, debuggers and emulators used to reverse-engineer apps, Bakker noted.

• Block and tackle malicious activities: Users actively defend against exploits by blocking overlay screens, exiting an app if tampering is detected, or logging and reporting on suspicious activities.

Bakker said a number of approaches to app shielding are available, including dashboards with app shielding features and mobile app SDKs. "In terms of evaluating the effectiveness of app shielding, it's best to approach your app as an attacker would," he said. "Simulate attacks on your app in a test environment with app shielding applied. This will help you gain visibility into the mobile environments in which your app is executing."

Mobile app security checklist

Will LaSala, director of security solutions and security evangelist at OneSpan, recommends implementing the following security measures during the holidays and throughout the year:

• App shielding: Implement an app shielding solution across all mobile applications to protect devices in untrusted environments.

• Multifactor authentication: Use strong, user-friendly multifactor authentication. Financial institutions should turn to the latest available adaptive authentication technology to analyze and score hundreds of user, device, and transaction data in real-time to determine the precise authentication requirements for each transaction. This level of intelligence ensures the best possible customer experience, while safe-guarding transactions and customer data.

• PCI compliance: Stay compliant with industry standards. Ensuring your mobile app is compliant with industry standards for mobile security will help keep you secure from the latest threats and vulnerabilities. The Payment Card Industry Data Security Standard (PCI DSS) is one example of a compliance mandate for banks with cards and is administered by the PCI Security Standards Council.

• Ongoing training: As social engineering and phishing attacks continue to rise, customer should know how to spot fraudulent emails and suspicious links and attachments. Keep your business and customers current on the latest security trends.

Retargeting attacks are sophisticated and can ruin a company's image and brand, LaSala noted. "[These are] advanced attacks and not every solution out there can address them without major re-architecting," he said. "As an app developer and publisher, it's important to look for app shielding technology that makes it easy to incorporate advanced mobile app security into an app without much development effort."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.