By Jan Sysmans, Mobile App Security Evangelist, Appdome
India’s fad with investment apps is by no means letting up, reshaping trade in new and profound ways. From Zerodha to Paytm Money and Kuvera, it has never been more convenient for the average person in India to put money into stocks, bonds, mutual funds, exchange-traded funds (ETFs), among other commodities. In fact, DataReportal estimates that 26.7 percent of Internet users aged 16 to 64 nationwide use an investment website or app on a monthly basis.
With significant numbers of the working population actively investing in equity and funds through these apps, safeguarding customers from becoming victims of cyberattacks must be a priority for service providers.
What does the cybersecurity landscape look like?
PwC’s Global Digital Trust Insights – India Edition survey highlights that over 80 percent of the country’s C-suite managers note significant improvements in terms of cybersecurity. Furthermore, 89 percent were able to detect and prevent cyber threats from causing major damage to their operations.
However, in spite of these developments, managers still felt that their organizations were not prepared to meet heightened threats. The same PwC report finds that the top three threats on their minds were cybercriminals (77 percent), insider threats (62 percent), and hacktivists (61 percent). Mobile devices shared the second spot, alongside software supply chains, as pathways most likely to be exploited by attackers.
The growing sophistication of cyber threats has prompted the likes of Gartner to forecast a USD200 million year-on-year increase in cybersecurity investments across India in 2023. However, throwing money at the problem isn’t some silver bullet, and Banks and Fintechs that offer investment apps to Indians must, first and foremost, deeply understand the threat landscape.
Threats targeting investment apps
- Fake apps and app tampering
Fake investment apps can lure unsuspecting users into sending money to cybercriminals. This matter is further compounded when these apps use the brand name and image of legitimate and well-known services.
Anti-tampering solutions are crucial to preventing hackers from using “Super Signature processes” which can bypass security algorithms and repackage app resources. This should also be paired with Mobile Piracy Prevention programs that are designed to validate code signatures from Android or iOS apps, preventing them from being copied into other app stores or made into trojan apps.
- Overlay attacks
Malware like Sharkbot and Xenomorph use overlay attacks to conceal hackers’ activities by putting a fake screen or window on top of a legitimate app. This tactic is usually used to trick people into giving up sensitive information or credentials. Preventing them rests on harnessing anti-fraud and anti-keylogging solutions to notify users and block attackers from executing fake events inside the mobile app.
- Jailbreak and rooting
Investment apps that handle cryptocurrency or other decentralized assets require the use of private keys to authorize transactions. While some apps are capable of managing the keys, others put that responsibility in the hands of the user. Both variants can be vulnerable to attackers, especially if they are running on a jailbroken or rooted device.
White box cryptography and threat-aware encryption keys are essential to hide app resources from prying eyes. Protecting against Jailbreak Detection Bypass tools such as Liberty Lite and Root Hiding tools such as Magisk, also enables BFSI app makers to stay one step ahead of Malware that relies on these advanced jailbreak bypass and root hiding programs.
- Weak encryption and insecure data storage
When stealing data, there are two kinds of tactics that service providers need to be wary of. The first tactic involves targeting unsecured areas, such as clipboards and NSUserDefaults files. Secondly, hackers can also intercept communications between users and the app.
With data at-rest, encryption tools are necessary to make resources undetectable, wherever they are located. As for data in-transit, service providers should also look into integrating SSL/TLS tunnels and Man-in-the-Middle (MitM) security to prevent attackers snooping around app traffic.
- Dynamic runtime attacks and instrumentation
Emulators, simulators, or on-device malware enable hackers to perform malicious trades or accept cryptocurrency transfers through fake accounts. Protecting against this class of attack requires service providers to install runtime application self-protection (RASP) solutions. With advanced features such as anti-tampering and anti-debugging, they can block hackers’ attempts to run or modify apps without authorization.
Lessons from the mobile security front
The effects of cyberattacks can have real-world ramifications on both the service provider and their customers. Without proper safeguards in place, customers will be put in harms way, facing heightened risks to their investments and data to malicious parties. The loss of trust and legal penalties can also shackle service providers’ abilities to achieve success in the highly competitive digital financial services market. As hackers’ methods continue to evolve, mobile security must become the order of the day to ensure investment apps continue to play a positive role in accelerating the financial empowerment sought after by many across India.