As the pandemic pushes consumers to utilise digital technologies, never before have financial services been more accessible. But as the digital accessibility of finances increases, so too does the level of incurred cyberattacks.
Prateek Panda is the Director of Product and Growth for the security product group at Intertrust. Previously, he was the founder of a cybersecurity company in the mobile application security space.
Here he discusses the unique ecosystem of digital banking in the Asia Pacific region and offers a solution to how the increase in cyberattacks can be hindered.
Across Asia, people are increasingly turning to mobile apps to help them manage their finances, whether that’s for peer-to-peer transfers, accessing credit, or online banking services. The Asia Pacific (APAC) region saw a 106% increase in finance app installs from 2018 to 2019, and as Covid-19 prevented many people from accessing financial services offline, downloads have jumped further.
As mobile finance app usage surges, so do cybersecurity risks. Finance apps contain sensitive user information and are a popular target for hackers looking to access users’ funds and financial data. This is a critical problem for apps being developed in Asia. A 2018 report from CSIS (Center for Strategic and International Studies) and McAfee found that weak cybersecurity systems cause more than $300 billion in economic losses in the Indo-Pacific region alone – it’s vital that cybersecurity efforts grow alongside digital adoption.
Unfortunately, finance app security seems to still be playing catch-up. Intertrust’s 2021 State of Mobile Finance App Security Report uncovered a number of concerning cybersecurity weaknesses in today’s mobile finance apps, with Asian apps performing the weakest in terms of security. In order for mobile finance apps to mitigate the threats of cybercrime, they must build security into application design with in-app protection from day one.
Let’s look at the state of mobile finance app security, what this means for finance apps in Asia, and how they can prevent security issues in the future.
The Mobile Finance Landscape in Asia: Accelerated Adoption and Heightened Risks
Asia has one of the fastest-growing mobile-first populations in the world, with hundreds of millions of people using their phones to complete vital daily activities. What’s more, in some countries in Southeast Asia – where 73% of the population is unbanked – fintech apps provide a path to financial inclusion for people who don’t have access to traditional banking structures.
In fact, finance app downloads in the APAC region jumped from 383 million in 2014 to an astonishing 1.8 billion in 2018. And as Covid-19 has forced many activities online, access to digital services is more crucial than ever. Mobile apps are mainstream in Asia – but that doesn’t mean they’re without their potential risks.
Finance apps in Asia are facing targeted hacks – Indian digital credit startup Mobikwik was hit by cybercriminals in March of this year, who exfiltrated the data of 3.5 million of the app’s users. Not only is this bad for users: Experts claim that if fintech apps in Asia do not have robust cybersecurity mechanisms in place, they stand to sacrifice potentially lucrative partnerships with the banking sector.
Security Weaknesses in Today’s Finance Apps
The State of Mobile Finance App Security Report looked at 160 finance apps across four categories: banking, lending, payments, and trading. The report sheds light on the most worrying vulnerabilities across different operating systems, app types, and geographical regions.
An astounding 77% of the researched apps have at least one critical or high severity vulnerability, 81% leak data, and 88% failed cryptography tests. Banking apps contain more vulnerabilities than any other type. Approximately 84% of Android finance apps contained at least one critical or high severity vulnerability, while the number for iOS was 70%.
Looking specifically at Asia, 38% of Indian and Southeast Asian apps had more than 10 vulnerabilities, compared to 7% in the UK. Indian and Southeast Asian apps came up last in terms of security, perhaps because of the lack of rigorous data privacy regulations in many of the countries in those regions (though India is making strides here) and the impact that has on encouraging cybersecurity efforts.
The Path Ahead: Enhanced in-App Protection
So, what can be done to fix these vulnerabilities and prevent potentially debilitating cyberattacks?
The report found that 74% of high-level threats could have been mitigated using in-app protection. In-app protection allows app developers to build sophisticated defense mechanisms into the app itself rather than relying on the security mechanisms of the operating system or device alone as these can be vulnerable to attacks.
Finance app developers should first ensure they have the basics in place by adhering to the OWASP Mobile App Security Verification Standard as well as any regulatory requirements. To fill security gaps they can then deploy in-app techniques including advanced code obfuscation, anti-debugging, iOS jailbreak and Android rooting detection, integrity protection, and tampering detection and response. These robust tools make it much more difficult for hackers to penetrate, modify, or reverse engineer the app.
It’s also essential to protect any cryptographic keys that can be used to access sensitive data. Developers can turn to white-box cryptography, which keeps cryptographic keys hidden within the app code, allowing them to build key protection directly into the app.
In Asia, mobile finance app usage is only going to continue to rise. But if cybersecurity is not taken seriously, user trust and data privacy will undoubtedly be hampered. Finance app development teams should build security into app design from day one through innovative, robust tools to ensure they don’t put their users and themselves at risk.