Too many mobile banking and mobile payments apps are built without protections against reverse engineering. This exposes the code, or “blueprints” of an app, making it easy for attackers to redirect payments, capture passwords and otherwise compromise the payments provider and their customers, Jake Friedenberg, head of North American Operations for GuardSquare, tells Mobile Marketing & Technology.
GuardSquare will be an exhibitor at the 2017 Mobile Payments Conference Aug. 28-30 at the Swissôtel in Chicago, Ill.
“After an app is downloaded, it’s out in the wild,” Friedenberg explains. “It can be reverse-engineered in minutes. It’s like a bank robber having a bank’s blueprints so they can plot the best heist.”
GuardSquare has technology that makes the blueprints of the mobile security apps impossible for criminals to read, according to Friedenberg.
The banking and payments apps pay attention to the security of their apps once they’re in use, but that does no good if someone has the “blueprints” and can reverse-engineer around the security controls, Friedenberg says.
By reverse-engineering an app, a criminal can repackage the app with a keylogger to capture keystrokes (to steal pins and passwords and similar personal information), or direct payments directly to the criminal’s own account, using an app that looks just like the legitimate one, Friedenberg says.
This creates problems not only for the user, but also for the payment provider/bank, he says. The user could have his or her account drained, while the provider no longer has a trusted app. “No one wants to use a financial app that’s perceived as risky.”
Though such security issues have been growing steadily ever since banking and payments apps were first introduced, Friedenberg says there’s been a spike in this type of criminal activity in 2017 as more and more payment and banking apps become available, with no attention to protecting their “blueprints.”