Sam Bakken at OneSpan:
“This proves yet again that criminals are opportunistic–they follow the money. So it comes as no surprise that with more consumers transacting via mobile apps, the mobile channel becomes a juicier target and worth malicious actors’ time researching, developing and executing attacks.
Businesses have a challenge. They absolutely must offer differentiated mobile services or they risk losing customers to other providers that do. At the same time, a number of reports on fraud in the first half of the year show the threat increasing, so what is a business to do? Contextual data from mobile devices help provide stronger authentication, which helps mitigate some of the risk. Yet the fact remains that mobile devices are still untrusted environments.
Financial institutions in particular must ensure the integrity of the device and the mobile app that resides upon it, and this goes beyond secure coding. The app’s runtime itself needs to be protected. For example, free tools make it easier and easier for individuals with a certain level of skills to inject code into an app at runtime to bypass authentication controls. So, real-time monitoring of these sorts of external threats become all the more important as attackers invest more and more resources in attempting to defraud organizations via the mobile channel.
Even if a security-conscious app maker follows mobile app security best practices throughout their software development lifecycle, other vulnerable apps or malware on their users’ Android devices can put them at risk. Depending on the importance of the app to their customer experience and revenue generating activities, it makes vulnerable apps a serious issue that should be included in their threat models. For example, a number of Trojans have made it onto the Google Play store itself. If a user downloads a Trojan to their device, the Trojan probably targets financial services apps and may launch an attack on a developer’s app. App makers need to protect their apps’ runtime against external threats over which they don’t have control such as malware or other benign but vulnerable apps.
Consumers also need to be careful because developers don’t always have their customers’ best interests in mind when it comes to mobile app security. It’s all-too-common that getting new features out the door will take priority over security. And these day we’re carrying mobile devices with us everywhere and sharing untold amounts of personal data with apps on those devices (knowingly or unknowingly). If those devices and apps aren’t secured, consumers are at risk. It’s not always possible, but whenever it is, consumers should research the security practices of the developers of apps they use and only download apps from official sources wherever possible (though malicious apps still make it into those marketplaces).”