PSD2 Compliance: Protecting Mobile Banking With App Shielding

Most people view the new PSD2 legislation as the “open banking legislation.” However, PSD2 — or more specifically, the RTS (regulatory technical standards) — defines much more: a range of requirements on digital banking security. These requirements concern both banks and third parties. The subject that is especially pronounced is the topic of mobile application security.

Hardening the Fragile Mobile Runtime

Now, mobile apps are under the regulator’s scrutiny for a good reason. Any security-related code, such as SCA related cryptography or code related to secure network communication, runs in a mobile operating system, such as iOS or Android. While Apple and Google do their best to build secure software, hackers always find a way to bypass the system security features. General availability of jailbreak/rooting is a living testament to this, as well as the rise of Android mobile malware.

When running in a vulnerable OS, apps can be manipulated by an attacker (for example via mobile malware, or techniques such as “trust-jacking”) that is either:

  • armed with a rooting framework (and hence can penetrate through sandboxing features of a mobile OS, even on devices that were not previously rooted by the user), or …
  • merely misusing some of the commonly available system interfaces, such as an ability to install own keyboards or screen readers in the system.

Image 1: Hackers can use the OS weaknesses and system interfaces to bypass existing security measures implemented in the mobile app. This makes the SCA-related cryptographic core vulnerable and draws any security-related code ineffective.

As a result, mobile apps with high-security requirements cannot rely on the OS security features. Instead, they need to protect themselves with advanced obfuscation, app integrity checks and proactive anti-tampering features.

These sophisticated security features are sometimes called RASP (runtime application self-protection), or using a more human term: “App Shielding”.

Image 2: App Shielding features protect the mobile application by preventing some attack scenarios, by detecting any suspicious behaviour, and by stopping a threat before it can cause any damage.

Apps that are protected with App Shielding can mitigate the whole range of sophisticated attacks, such as:

  • Malware attacks
  • Vulnerabilities related to rooting/jailbreak
  • Debugger connection
  • Code or Framework injection
  • Application repackaging and app integrity breaches
  • Malicious screen readers or untrusted keyboards
  • Overlay attacks
  • Man-in-the-app and man-in-the-middle scenarios
  • Sensitive embedded key protection (white-box crypto)
  • Compliance with PSD2 Regulatory Requirements

App Shielding not only makes your app more secure, but it is also a critical requirement for the PSD2 compliance. Let’s quote the final version of the RTS to illustrate why:

Chapter II - Article 9

2. Payment service providers shall adopt security measures, where any of the elements of strong customer authentication or the authentication code itself is used through a multi-purpose device (note: such as mobile phone or tablet) to mitigate the risk which would result from that multi-purpose device being compromised.

3. For the purposes of paragraph 2, the mitigating measures shall include each of the following:

a) the use of separated secure execution environments through the software installed inside the multi-purpose device;

b) mechanisms to ensure that the software or device has not been altered by the payer or by a third party.

c) where alterations have taken place, mechanisms to mitigate the consequences thereof.

This excerpt implies that banks are responsible for implementing security measures to make sure that the mobile device was not altered, the app was not modified at rest or in runtime, and that the application cannot be tampered with by the payer or any other third party (for a malicious reason or not). The App Shielding is a natural and the most straight-forward way to cover this requirement.

Cost Efficient Security Without a Hassle

Now, the usual concern when implementing any new security features is the complexity of integration and impact on development resources. From this point of view, the App Shielding seems to be an exception. The App Shielding can be integrated into a mobile banking app automatically, without the need for programming, and with close-to-zero impact on development resources and project timeline.

Image 3: Simple App Shielding integration can be done without any programming, just by using the app shielding tool with the right configuration. Later, the application can grow into the App Shielding product and integrate the App Shielding SDK.

Of course, if the app developer decides to make more of the App Shielding features, it is possible. An “App Shielding SDK” can be implemented into the mobile banking app later on in order to allow precise handling of selected problematic scenarios or to integrate with a fraud detection system.

What we are seeing is that almost every bank we talk to considers deploying App Shielding in their mobile apps, or already has the App Shielding in their “security repertoire” (either in production or under development). Therefore, the App Shielding becomes a de facto standard in the mobile banking security.

We believe that every mobile banking app should be protected with this type of runtime protection. And it is a good thing. The digital banking ecosystem will become safer.

Secure and Compliant Mobile Banking?

Learn more about our industry leading App Shielding solution and protect your customers with proactive security features, while making your app compliant with the PSD2 legislation, GDPR, and the strictest OWASP MASWS resilience requirements.