Applications have won mobile, that’s no longer news. As most organizations leverage mobile apps to enhance their users’ online experience, the whole mobile ecosystem is evolving accordingly. Cybercriminals and greedy individuals see in applications a surface to make money out of. Governments see in this surface a big risk for data privacy. Users trust in companies’ capacity to keep their information safe.
Implementing on-device mobile application security measures is a complex task. Too many restrictions will create frustration and downgrade user experience, while failing to provide adapted security steps will expose sensitive data to the wild. The technology In-App Protection (IAP) offered by Pradeo was designed to rigorously protect application data and transactions without impacting the user experience and the App performance.
IAP: Protect application execution in real-time
Pradeo In-App Protection comes as a ready-to-use security SDK to be embedded within mobile applications. It relies on a precise behavior detection capability drawn from the Pradeo Security engine, to analyze and conclude on the integrity of the environment it will be running on. Once added to an application code, it empowers it with deep insights on the surrounding threats and enables it to adapt its runtime accordingly.
Let’s think about a common use case. An individual that we’ll call Jay, client of a large bank and who uses its mobile banking application, just like 43% of all mobile phone owners with a bank account (source US Federal Reserve System). Jay has installed on his smartphone along his banking app some gaming applications. Among them, Jay doesn’t know but a malware is hidden and programmed to record and save on a distant server any key stroke from his keyboard (a keylogger). When Jay opens his banking app to consult his balance or make a fund transfer, there are 2 possible scenarios: Jay’s credentials are simply stolen by the malware, or the banking app alerts Jay that a malware is on his smartphone and requests its uninstallation to go any further. In this case, the Bank is using the Pradeo Security Runtime Application Self-Protection.
A solution required by law in highly sensitive sectors
Financial, Health, Government, Energy, Retail, etc. are highly sensitive sectors subject to strong security constraints brought by industry requirements, internal security policies and regulations.
Focusing on financial services, mobile banking and payment’s strong adoption has caused a major increase of fraud coming from mobile users in the last years. Nowadays, the RSA Fraud & Risk Intelligence Service counts that 71% of fraud is mobile. As a consequence, authorities are amending existing laws and publishing new ones to specifically regulate financial activities on mobile.
In Europe, the second Payment Service Directive (PSD2) has been published by the European Banking Authority early 2018. The new directive aims at harmonizing the protection of electronic payments and consumers' financial data while promoting innovation and offering better experience to users. PSD2 articles 4, 7, 8 and 9 require Europe’s banks, payment service providers (PSP) and any other company that handles financial data to secure their mobile services by implementing strong authentication and securing the execution environment.
In the United States, the Federal Financial Institutions Examination Council (FFIEC) recently issued an appendix to the Retail Payment Systems booklet dedicated to mobile banking, called “Mobile Financial Services”. The section 5.B of the appendix advises organizations to mitigate mobile applications’ risks by implementing strong authentication, embedding anti-malware capabilities and tracking security changes and anomalous behaviors.
Both regulations, as many others not covered in this post, require the use of a runtime application security solution to guarantee the safety of sensitive data handle by mobile apps.
Key benefits of Pradeo Security IAP
- Robust defense: Mobile applications are exposed to the environment they run on. For example, when a malware is hosted on a device, it can harvest data that are processed locally, and when a MITM attack is perpetrated, all data sent to the network are intercepted. A strong authentication goes hand in hand with a reliable mobile threat detection, to ensure the execution environment’s safety. Pradeo Security analyzes and concludes on device integrity (by analyzing applications, the network and the OS) before launching the application it protects, guaranteeing its execution won’t cause data theft and fraud.
- Precise threat analytics: The cyberthreat landscape is evolving at a fast pace. More and more organizations use SIEM solutions to group and analyze the security events happening in their IT environment. Pradeo Security RASP delivers current mobile security data to SIEM databases, so security teams can have precise insights on threats operating on mobile devices.
- Automated real-time security: Mobile devices status changes constantly. A safe environment can suddenly become threatening if connected to an unsecure WiFi or exposed to a malware, and vice versa. Once embedded within a mobile application source code, Pradeo Security RASP SDK constantly tracks devices security level to provide real-time protection. It does it automatically, according to the parameters defined in the remote management platform.
- Customizable security policy: Every industry has specific security needs. An execution environment considered safe for a game doesn’t mean it’s safe for a banking app. Pradeo Security provides a range of pre-defined and entirely customizable security policies, to precisely adapt to any requirement.
- Positive user experience: Today users expect enterprises to provide an optimal experience while ensuring the protection of their data. Pradeo Security performs transparent security checks without incidence on the battery consumption and system operability.
For more details on this solution, contact xenia.tews@pradeo.com
You might also be interested in:
- Use case - Pradeo protects a top mobile banking app
- Datasheet - Pradeo Security In-App Protection
- White paper - Mobile banking: Regulations, threats & fraud prevention
