Applications have won mobile, that’s no longer news. As most organizations leverage mobile apps to enhance their users’ online experience, the whole mobile ecosystem is evolving accordingly. Cybercriminals and greedy individuals see in applications a surface to make money out of. Governments see in this surface a big risk for data privacy. Users trust in companies’ capacity to keep their information safe.
Implementing on-device mobile application security measures is a complex task. Too many restrictions will create frustration and downgrade user experience, while failing to provide adapted security steps will expose sensitive data to the wild. The technology In-App Protection (IAP) offered by Pradeo was designed to rigorously protect application data and transactions without impacting the user experience and the App performance.
Pradeo In-App Protection comes as a ready-to-use security SDK to be embedded within mobile applications. It relies on a precise behavior detection capability drawn from the Pradeo Security engine, to analyze and conclude on the integrity of the environment it will be running on. Once added to an application code, it empowers it with deep insights on the surrounding threats and enables it to adapt its runtime accordingly.
Let’s think about a common use case. An individual that we’ll call Jay, client of a large bank and who uses its mobile banking application, just like 43% of all mobile phone owners with a bank account (source US Federal Reserve System). Jay has installed on his smartphone along his banking app some gaming applications. Among them, Jay doesn’t know but a malware is hidden and programmed to record and save on a distant server any key stroke from his keyboard (a keylogger). When Jay opens his banking app to consult his balance or make a fund transfer, there are 2 possible scenarios: Jay’s credentials are simply stolen by the malware, or the banking app alerts Jay that a malware is on his smartphone and requests its uninstallation to go any further. In this case, the Bank is using the Pradeo Security Runtime Application Self-Protection.
Financial, Health, Government, Energy, Retail, etc. are highly sensitive sectors subject to strong security constraints brought by industry requirements, internal security policies and regulations.
Focusing on financial services, mobile banking and payment’s strong adoption has caused a major increase of fraud coming from mobile users in the last years. Nowadays, the RSA Fraud & Risk Intelligence Service counts that 71% of fraud is mobile. As a consequence, authorities are amending existing laws and publishing new ones to specifically regulate financial activities on mobile.
In Europe, the second Payment Service Directive (PSD2) has been published by the European Banking Authority early 2018. The new directive aims at harmonizing the protection of electronic payments and consumers' financial data while promoting innovation and offering better experience to users. PSD2 articles 4, 7, 8 and 9 require Europe’s banks, payment service providers (PSP) and any other company that handles financial data to secure their mobile services by implementing strong authentication and securing the execution environment.
In the United States, the Federal Financial Institutions Examination Council (FFIEC) recently issued an appendix to the Retail Payment Systems booklet dedicated to mobile banking, called “Mobile Financial Services”. The section 5.B of the appendix advises organizations to mitigate mobile applications’ risks by implementing strong authentication, embedding anti-malware capabilities and tracking security changes and anomalous behaviors.
Both regulations, as many others not covered in this post, require the use of a runtime application security solution to guarantee the safety of sensitive data handle by mobile apps.
For more details on this solution, contact xenia.tews@pradeo.com
You might also be interested in: