• Cognizant 20-20 Insights
Mobile Banking Security:
Challenges, Solutions
To offer the best feature-packed online banking mobile applications that
can be delivered, organizations need to carefully consider both functional
as well as security implications to ensure that customers and assets are
protected from malware and wrongdoers.
Executive Summary
There are over 1.2 billion smartphone users
worldwide.1 Individuals adopt smartphones not
only to surf the Internet but to download and
use entertainment, information, social sites,
shopping, travel and banking apps — among other
things. This has led to numerous opportunities
for organizations to roll out mobile applications
that not only engage and drive loyalty but also
garner additional revenue. Organizations are
substantially increasing spend on mobile applica-
tion development to help employees/customers
increase their productivity while delivering a
more intuitive user experience.2
Moreover, an increasing number of individuals
are using mobile applications compared with
traditional desktop/Web-based applications. A
research report from ComScore shows that apps
account for a majority of consumers’ mobile
minutes, and 80% of their media time is spent
on app usage compared with only 20% on Web
browsers.3 Recently published data from MQA
Research shows that consumer interest in mobile
banking and payments services in the U.S. has
increased significantly in the past two years.
Roughly 75% of those surveyed say they would
consider using mobile banking services if offered,
compared with only 49% who expressed their
cognizant 20-20 insights | july 2014
willingness to try mobile banking services in a
similar survey conducted in 2006.4
Globally, banks offer a variety of mobile banking
services; and those banks that do not currently
provide m-banking services claim they plan to do
so in the near future to remain relevant, according
to a recent survey conducted by the Aite Group.5
And according to a study from the University of
Hamburg, Germany, m-banking mobile applica-
tions are growing exponentially; roughly 69% of
banks already offer such services.6
However, there is a downside to this market
momentum. The MQA survey revealed that
security remains a major concern in adopting
m-banking. Approximately 72% of respondents
said they worry about the security of accessing
financial data on a mobile device. Nevertheless,
79% of respondents said they would sign up for
account balance alerts by mobile. Our research on
consumer segments reinforces the importance of
security features for choosing banks that offer
mobile banking.7
Addressing Mobile Security
Mobile device productivity comes at a price —
increased security risks. Mobile applications
create yet another path into enterprise networks,
Analysis and Recommendations
Title Description
Strong authentication mechanism.
Authentication
Allow authenticated users access
only to business functionality to
which they are entitled.
Authorization
Sensitive data should be kept in
memory (and not on disk) only while
it’s needed. The application must not
Data store any sensitive data on the file
Confidentiality system. Sensitive information should
not be leaked through logs and error
messages.
All secure objects in the system (data
requests, account data, user-related
information etc.) must be securely
Secure Data wiped when a log-off is triggered.
Cleanup
The application should prevent any
Local Data data from being locally transferred
Transfer outside the application (e.g., copying
Prevention it or sending it to an unauthorized
external application).
All network traffic is encrypted.
Connection
Encryption
Detect if the application is running on
a jail-broken/rooted/malware-infect-
ed device.
OS Security
Check
Continued on next page
cognizant 20-20 insights 2
Recommendations
Multistep authentication on secured XML-based
Web services for user ID plus password and
secure ID/SMS is recommended. An additional
recommendation is to check for user location
using a GPS during authentication.
After a user has authenticated, the application
can check with the back-end services to determine
if the user has the required access to the applica-
tion data (i.e., whether the user is mobile-enabled
or not). The client displays a secure navigation
menu based on the entitlements/access rights
of the user. The entitlements/access rights are
checked at the back end for each request before
making calls to business functions.
The application cache manager should clear
the data when the application operates in the
background. If sensitive data needs to be handled
on iOS, use C and not ObjectiveC. The logs and
error messages should be suppressed using a
tool like Dexguard8 for the Android platform and
Arxon’s EnsureIT9 for iOS.
Secure objects and data structures should be
cleaned when a log-off is triggered. In a case
where application tampering is detected, the
application should be forced shut. For checking
if the application is tampered with, the Dexguard
library can be used. In a case where a Webview
API is used, then it should be cleared during
log-off.
Remove the data from the clipboard when the
app operates in the background so it cannot be
transferred outside the application. Disable long
press for sensitive fields.
HTTPS protocol should be used to connect to
the back-end applications. An additional white
list of IP addresses and domain names should
be maintained on the client side to prevent apps
from talking to other domains not specified on
the white list.
Trusteer Mobile SDK10 is recommended. Trusteer
provides a score on OS security updates and
malware detection. Based on the score, the appli-
cation can make the decision to close the app or
the score can be passed to the back-end systems
over a secured channel for further investigations/
actions.
Analysis and Recommendations cont’d
Title Description
Application must prevent hackers
from accessing the app in a case
where the device is rooted or jail-
Jail-Break/ broken.
Rooted Device
Check
Eliminate any plain-text resources
from the application’s bundle. This
prevents malicious attackers from
gathering insights on the applica-
Preprocessing/ tion internals. The symbol table
String should be stripped, thus leaving
Obfuscating/ only unresolved symbols and forcing
Symbol an attacker to trawl for data in the
Stripping runtime code, decrypt the binary or
use more complex debugger tactics
to obtain a map of the application
symbols for class names, methods
and function names.
To secure the communications with
the back-end server, a certificate
Root Certificate check should be created on the client
Check side to ensure that it is signed by the
organization.
Application must prevent debuggers
Anti-Debugging from attaching to it (e.g., to read
Mechanism sensitive data from memory in use by
another running application).
The application should check to see if
it’s being tampered with. For example,
Tamper debug flags can be checked to
Checking determine if the application is being
debugged.
It should be possible to block certain
Blacklisting
older versions of the app on the
Older Versions
back-end server if there is a security
of the App breach.
All security events that happen inside
the application should be logged and
Security sent to the back-end server.
Logging
The app should prevent the redirec-
tion of its traffic to a malicious server
Anti-pharming12 by checking that the host-name
Protection look-up with DNS resolves to a white-
listed IP.
Hide important data – like property
Encrypt Assets files.
Figure 1
cognizant 20-20 insights
Recommendations
Trusteer Mobile SDK is recommended to check
if the device is rooted. Trusteer provides a score
if the device is rooted. Based on the score the
application can take the decision to close the app
or the score can be passed to back-end systems
over a secured channel for further investiga-
tions/actions. Root Tools is another open source
API that can be used to conduct a rooted device
check.11
Dexguard/EnsureIT tool is recommended for
this purpose. Dexguard/EnsureIT is used to
preprocess the application code and encrypt the
classes, methods and string constants. Dexguard
is also used to obfuscate the plain-text files and
static contents.
The SSL certificate should be bundled with
the application. It should be encrypted using
a tool like Dexguard/EnsureIT. The SSL certifi-
cate should be checked to see if it is signed by
the respective authority. If the certificate is not
signed, then the app should be closed.
In the Android manifest, one can define
debuggable property to be false. A tool like
Dexguard/EnsureIT supports removal of logging,
debug or test code for production release.
A tool like Dexguard/EnsureIT is recommended.
A tamper check can be conducted using the
Dexguard library. The application should be
checked for tampering during launch and should
be closed if it is found to have been tampered
with.
A server-side filter can be used to check for
blacklisted application versions. If an app version
is blacklisted, then the user will receive an error
message and be asked to upgrade the app.
This is achievable using a secured Web service
provided at the back end. All security events are
temporarily stored on the device and sent to the
server periodically. During log-off, the device data
is sent to the server to ensure no confidential
data remains on the device.
Trusteer Mobile SDK provides a feature to protect
the application from anti-pharming.
Custom implementation is possible to verify a
URL against a preconfigured white list for every
outgoing service call.
A tool like Dexguard/EnsureIT can encrypt asset
files transparently, so hackers won’t be able to
abscond with them.
3
allowing criminals, fraudsters and hackers to
propagate malicious code. Sensitive data stored
on a mobile device could be lost or stolen, leading
to data breaches, compliance violations and
expensive/embarrassing public disclosures. Large
organizations recognize mobile device threats
and vulnerabilities and understand that they
need proper security protection. Just what types
of security controls are needed? Figure 1 provides
a list of top security requirements and suggested
remedies.
Looking Forward
Given existing competitive market dynamics,
even small banks now offer mobile solutions
to their customers. Online banking, or for that
matter any important financial mobile application
rollout, takes on increased strategic importance
since success there is critical to moving forward.
Securing any and all feature-packed mobile apps
is therefore exceedingly critical.
New threats are always emerging so security
architects need to be forewarned and forearmed
on the trends and vulnerabilities to ensure their
organizations’ mobile apps are safe and hard to
hack, if not impenetrable, before they are imple-
mented.
Mobile applications and related security breaches
receive much media attention and can undermine
a company’s reputation. The above guidelines
offer a comprehensive approach and tangible
recommendations for defending mobile apps
from security breaches. By building comprehen-
sive security features into strategic, feature-rich
mobile apps from the get-go, organizations can
keep sensitive transactional and interactional
data from the prying eyes of those who wish to
do them harm over the near and long term.

Footnotes
1
“There Will Soon Be One Smartphone For Every Five People In The World,” www.businessinsider.in/There-
Will-Soon-Be-One-Smartphone-For-Every-Five-People-In-The-World/articleshow/21375608.cms.
2
“Why Your Enterprise Must Rethink Mobile App Development,” www.wired.com/2013/02/why-your-
enterprise-must-rethink-mobile-app-development/.
3
“Mobile Marketing Statistics 2014,” www.smartinsights.com/mobile-marketing/mobile-marketing-analyt-
ics/mobile-marketing-statistics/.
4
“Security: a major concern for the adoption of m-banking,”
www.vasco.com/Images/Mobile_Banking_Security_VASCO.pdf.
5
“Corporate Mobile Banking: A Look at J.P. Morgan ACCESS Mobile,” www.jpmorgan.com/treasury/jpm_
access/doc/Corporate_Mobile_Banking_A_Look_at_JP_Morgan_ACCESS_Mobile.pdf.
6
“The Mobile Commerce Prospects: A Strategic Analysis of Opportunities in the Banking Sector,”
www.postbank.de/postbank/docs/HamburgUP_Tiwari_Commerce.pdf.
7
“Segment-based Strategies for Mobile Banking,” www.cognizant.com/InsightsWhitepapers/Segment-
Based-Strategies-for-Mobile-Banking.pdf.
8
Dexguard, www.saikoa.com/dexguard.
9
Arxon EnsureIT, www.arxan.com/products/mobile/ensureit-for-apple-ios/.
10
Trusteer Mobile SDK, www.trusteer.com/products/trusteer-mobile-sdk.
11
Root Tools, https://github.com/Stericson/RootTools.
12
Anti-Pharming, http://en.wikipedia.org/wiki/Anti-pharming.

cognizant 20-20 insights 4

About the Authors
Amit Tank is a Solutions Architect within Cognizant’s Banking and Financial Services Business Unit.
He has over 12 years of industry experience across several industry sectors including (but not limited
to) software product development, professional services, research and development, manufacturing
engineering and software applications. Amit has architected, designed and developed critical business-
centric enterprise applications for companies in the insurance, mortgage, banking and financial services
industries. He earned his bachelor’s degree in engineering from NIT Durgapur, India and is a TOGAF 9
certified enterprise architect. Amit can be reached at [email protected].

Chintan Desai is a Project Manager within Cognizant’s Banking and Financial Services Business Unit. He
has 10-plus years of experience leading all phases of diverse technology projects, and more than seven
years of computer programming experience using C and Java in projects involving mobility (Android),
enterprise content management and portals. He received a bachelor of engineering degree in computer
science from DDIT, Nadiad. Chintan can be reached at [email protected].

About Cognizant
Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out-
sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in
Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry
and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 75
development and delivery centers worldwide and approximately 178,600 employees as of March 31, 2014, Cognizant
is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among
the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on
Twitter: Cognizant.

World Headquarters European Headquarters India Operations Headquarters

500 Frank W. Burr Blvd.
Teaneck, NJ 07666 USA
Phone: +1 201 801 0233
Fax: +1 201 801 0243
Toll Free: +1 888 937 3277
Email:
1 Kingdom Street #5/535, Old Mahabalipuram Road
Paddington Central Okkiyam Pettai, Thoraipakkam
London W2 6BD Chennai, 600 096 India
Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000
Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060

[email protected] Email: [email protected] Email: [email protected]

­­© Copyright 2014, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any
means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is
subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.