Scribd
Upload
118 views3 pages

Regulatory Guideline For Mobile Banking App Security

Uploaded by

onespanapptester
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
118 views3 pages

Regulatory Guideline For Mobile Banking App Security

Uploaded by

onespanapptester
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Regulatory Guideline for Mobile Banking App Security

Introduction:

As the financial services sector continues to embrace mobile technology, ensuring the security of
mobile banking applications is paramount. This guideline outlines the security requirements for
mobile banking applications, focusing on the integration of Runtime Application Self-Protection
(RASP) technology and adherence to the OWASP Top 10 Mobile Security Risks. Financial
institutions must implement these measures to protect user data and maintain the integrity of
mobile banking services.

RASP Technology Requirements

Runtime Application Self-Protection (RASP) technology must be integrated into mobile


banking applications to provide real-time detection and response capabilities, ensuring robust
security measures are in place. The following key features and benefits are required:

1. Real-time Threat Detection and Prevention:


o Applications must monitor behavior and inputs in real-time to detect and prevent
security threats as they occur.
2. Granular Security Controls:
o Security controls must be tailored to the specific application and its runtime
environment.
o Security policies must be applied precisely without impacting application
performance or functionality.
3. Automatic Protection Updates:
o Applications must automatically update security rules and protections based on
the latest threat intelligence.
o Emerging security threats must be addressed without manual intervention.
4. Minimal False Positives:
o Security mechanisms must reduce false positives by operating within the
application context.
o Accurate differentiation between legitimate application behavior and potential
threats is required.
5. Integration with DevOps Practices:
o RASP technology must integrate seamlessly with DevOps practices, supporting
continuous integration and deployment (CI/CD) pipelines.
o Secure coding practices and early vulnerability detection must be promoted.
Importance of RASP for Mobile App Security

Financial institutions must ensure that mobile banking applications are protected against the
following mobile-specific threats and conditions:

1. Protection Against Mobile-specific Threats:


o Applications must detect and mitigate threats such as device theft, data leakage,
and mobile-specific malware.
o Sensitive user data must be secured, maintaining user trust.
2. Enhanced User Privacy:
o Applications must enforce data protection measures to ensure compliance with
privacy regulations (e.g., GDPR, CCPA).
o Handling of personal and sensitive information must prioritize user privacy.
3. Adaptability to Mobile Environments:
o Security mechanisms must operate efficiently within mobile device constraints.
o Performance and battery life of the application must not be significantly impacted.
4. Continuous Monitoring and Response:
o Applications must continuously monitor activities and adapt defenses to counter
new and evolving threats.
o Ongoing protection must be provided in dynamic environments.
5. Comprehensive Security Posture:
o Applications must enhance their security posture by complementing other security
layers, such as secure coding practices, static and dynamic testing, and network-
level protections.

Adherence to OWASP Mobile Security Risks

Financial institutions must ensure that mobile banking applications address the OWASP
Mobile Security Risks, which include:

1. Improper Platform Usage:


o Proper use of platform security controls and features must be enforced.
2. Client Code Quality:
o High-quality code must be maintained to prevent vulnerabilities such as buffer
overflows and memory leaks.
3. Code Tampering:
o Measures must be in place to prevent modification of the application’s code or
behavior.
4. Reverse Engineering:
o Techniques must be employed to make reverse engineering difficult and protect
sensitive information.
5. Extraneous Functionality:
o Hidden or unused functionality that could be exploited must be removed from the
application.
Protection Measures for Mobile Banking Apps

Financial institutions must implement the following protection measures to safeguard mobile
banking applications:

Sr.
Protection Features
No
Detect rooted or jailbroken devices to prevent compromised OS
1 Rooted Devices environments. Implement multiple layers and levels of root
detection mechanisms.
Verify application signature using encrypted and embedded
2 Repackaging Detection
original public key in the RASP SDK.
Code Injection Validate the origin of third-party libraries and prevent runtime
3
Protection hooking.
Prevent debuggers from attaching to the application by checking
4 Debugger Protection
for external processes at runtime.
5 Emulator Detection Detect emulators by examining device characteristics.
Ensure that the operating system uses a trusted keyboard to
6 Key Logger Protection
prevent malicious apps from stealing credentials.
Prevent sensitive information from persisting in phone memory
Screenshot and Screen
7 after application termination and detect video output streams or
Mirroring Protection
mirroring applications.
Screen Reader Prevent malware from activating screen readers to collect
8
Protection sensitive information.
Android Developer
9 Prevent application usage when ADB is activated.
Bridge Status
Developer Mode Status
10 Prevent application launch while developer mode is on.
Detection
Detecting Apps from
11 Detect if the app is downloaded from an untrusted source.
Untrusted Sources
Task Hijacking Prevent the application from being hijacked via untrusted
12
Protection keyboards or screen readers.
13 Virtual Space Detection Detect if the application is launched via a virtual space app.

By adhering to these guidelines, financial institutions can ensure the security of their mobile
banking applications, protect user data, and maintain the trust and confidence of their users.

You might also like