2. 10-20%
rise in digital banking use across Europe
in April 2020
Facts & Numbers
40%
of Android users have phones which no
longer received security updates
3. " The digital banking
leaders also happen
to be the leaders in
security.
17. Mobile Malware
EventBot targets users of over 200 different financial applications, including banking,
money transfer services, and crypto-currency wallets.
19. Weak Activation
Using an SMS OTP during a mobile app enrollment.
Attackers use social engineering to trick
users into confirming a new mobile banking
activation on their own devices.
After an attacker activates mobile banking,
the bank account and the user's identity are
fully compromised.
Mobile app authentication is only as strong
as the elements that were used during the
activation process.
20. Weak Activation
How to improve activation security?
"Slow Channels" "Identity Aging"HW OTP
23. After-Theft Attack
Weak PIN codes and passwords.
11% of users choose "1234"
Top 20 PIN codes can open over 25% of all devices.
https://www.datagenetics.com/blog/september32012/
36. After-Theft Attack
Forensic cryptographic data extraction.
Built-in security measures in
mobile OS can be bypassed.
PIN code or cryptographic keys
can leak from the memory.
Implement cryptography as a low-
level C/C++ module with strict
memory management.
Uses HW backed key storage
(SecureEnclave, StrongBox).
37. Weak Runtime
Nothing is guaranteed on a jailbroken/rooted device…
To mitigate risks related to compromised devices,
implement RASP / App Shielding technology.
Your app could have been:
→ modified by repackaging ("at rest")
→ modified after connecting a debugger ("at runtime")
→ modified by a fake system library (framework or
native library injection)
A ticking time bomb…
38. " Xposed is a framework for modules
that can change the behavior of
the system and apps without
touching any APKs. That's great
because it means that modules can
work for different versions and
even ROMs without any changes…
39.
40.
41. Weak Runtime
On the system level, iOS and Android are equally secure…
Dispelling The “Sufficiently Secure
iOS” Myth and the Importance of
App Shielding on iOS
— by Tomáš Kypta
https://bit.ly/3gan7V1