Eliminating Mobile Payment App Vulnerabilities and Complying With Regulations
- By Jan Sysmans, Appdome
- November 28, 2023
Mobile payments in Singapore are on the cusp of a revolution. Case in point, this year, the Monetary Authority of Singapore (MAS) and the Reserve Bank of India (RBI) launched a real-time link to facilitate cross-border money transfers between the two nations. More recently, the Association of Southeast Asian Nations (ASEAN) will consider key technologies like digital payments to empower businesses and stakeholders by creating the Digital Economy Framework Agreement (DEFA).
These developments emerged as organizations are already experiencing the benefits of mobile payments, with case studies from Enterprise Singapore reporting increased revenues of up to 20 percent for some businesses.
While this trend is encouraging, it has also upped the risk of successful mobile scams. In particular, the Singaporean police and the Cybersecurity Agency of Singapore (CSA) released a joint advisory warning people of phishing and malware attacks involving QR codes and other related applications.
While police advise the public to avoid scanning codes from unknown text messages and review transaction details before approving payments, app makers also need to mitigate key risk areas to demonstrate that they have customers' best interests at heart.
Risk abounds at every corner.
The QR code scam is another example of how cybercriminals constantly find new ways to target mobile users and drain funds from their accounts. While mobile malware is nothing new, today's variants are hidden behind seemingly legitimate apps and packages, which are then available for download. Variants such as Xenomorph and Gigabud RAT can harvest user information from other apps and abuse Accessibility Services once inside the user's device. These variants necessitate developers to block the creation of fake or trojan apps by integrating defenses designed to block research and modification of legitimate versions and their resources.
App makers also need to avoid privilege escalation tactics, where cybercriminals seek administrator rights through various means, be it stealing user credentials, exploiting misconfigurations, or tricking users into granting requests for additional permissions. By increasing their privileges, cybercriminals will have the means to steal money or install malicious programs.
Complying with PCI standards
Since October 2022, the PCI Security Standards Council has replaced its Payment Application Data Security Standard (PA DSS) with the PCI Software Security Framework. This, alongside the PCI Data Security Standards (PCI DSS), acts as guidelines for mobile payment app makers to secure credit card transactions and details so they do not fall into cybercriminals' hands.
Some rules that app makers need to follow to prevent such incidents include integrating strong cryptography to hide data transmission, controlling access to mission-critical components, and monitoring the usage of cardholders' data.
The complexities of program dependencies
App makers that handle PIN CVM numbers need to reinforce code, especially if they are involved in the use or security of cryptographic keys. App shielding, code obfuscation, and encryption can help, but the problem is that all these programs rely on source codes that are bound to specific programming languages to function. These types of solutions are called dependencies, resulting in app makers having to make significant modifications to bring robust security features online.
For example, when building a code obfuscation feature for an iOS app, developers must rely on external packages to safeguard React Native and JavaScript frameworks, as there are no built-in tools within the project's library.
Another issue with dependencies is that they lack control, especially when vendors pull their support or if they stop working for some reason. This can result in developers needing to find new solutions and programs to maintain compliance with PCI DSS standards, complicating the entire DevSec process. Overcoming this issue requires Software Development Kits (SDK) and libraries to work flawlessly with native and non-native apps to minimize the attack risk.
Businesses must empower cyber security teams to version their security model without the mobile developer team needing to implement an SDK or other new solution. The cyber team must upgrade the security model inside the continuous integration and continuous deployment (CI/CD) workflows without disrupting the automated DevOps process.
When it comes down to it, embracing digital payments encourages transactions, but as with any innovation, they raise new risk areas that must be accounted for. The growth in cybercriminals stealing customers' data and funds by exploiting mobile payment apps is a testament to these risks and their negative implications on customer trust. Thus, the onus is on app makers to meet these security challenges head-on before they harm their operations irreparably.
This way, customers can continue to pay for products and services confidently.
Jan Sysmans, Mobile App Security Evangelist at Appdome, wrote this article.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Jacob Wackerhausen