Mobile Payment Security: How to Minimize Vulnerabilities and Ensure Compliance

The only way app makers can stay ahead of the ever-changing threat landscape is to use developer best practices to building security in their mobile payment apps.

As India is fully embracing cashless and contactless payment methods, mobile apps have become the go-to channel for Indian consumers. According to the National Informatics Centre (NIC), the use of digital payments increased by 10 percent as a result of the demonetization of the 500- and 1,000-rupee notes in 2016.

Furthermore, transactions conducted through the Unified Payment Interface (UPI) - a mobile-enabled banking system - have doubled from 2.81 billion in June 2021 to 5.86 billion the year after.

This growth in mobile payments requires higher levels of mobile security to ensure customers do not become victims of malicious cybercriminals.

Mobile payment vulnerabilities to look out for

As citizens become more reliant on mobile apps for their daily activities, the cybercriminals running the “Exploit Economy” are constantly looking for new methods and tools to defraud consumers and maximize damage. App makers who are unable to keep up with the ever-evolving threat landscape may find themselves lagging behind their security-minded peers.

One such tactic plaguing the mobile landscape is on-device malware that goes undetected. This is particularly concerning as users can unknowingly download seemingly legitimate apps without realizing that they are inviting cybercriminals into the system. For example, the EventBot variant of malware is designed to harvest usernames and passwords as well as intercept multi-factor authentication (MFA) codes sent through text messages.

Another type of malware is Sharkbot, which is capable of avoiding detection by Google Safety Net. From there, the attacker may abuse Accessibility Services, conduct overlay attacks, launch account takeovers, auto-fill fields to approve purchases without the users' knowledge, and more

Besides that, privilege escalation allows cybercriminals to gain access to sensitive information. This can be achieved by tricking users into granting additional permissions to their mobile payment apps or finding exposed credentials located within their devices. Once cybercriminals are given the necessary privileges, they can use the accounts for fraudulent purchases,  drain funds from users' accounts or identify new targets for subsequent attacks.

Staying compliant with the RBI Digital Payment Security Controls and other regulations

The Reserve Bank of India published the Digital Payment Security Controls (DPSC) to “address the pre-eminent role being played by digital payment systems in India and the high importance to the security controls around it”.

The DPSC is very clear with regards to mobile payments apps. They need to have a comprehensive set of protections to ensure that all mobile app data is secure, user privacy is ensured, the app cannot be reverse engineered, the integrity of the device's Operating System and the connection between the app and the mobile back end cannot be compromised, users are protected against the risks of mobile fraud and the app, and the user is protected against on-device malware.

In addition, the DPSC also notes that mobile payment apps need to comply with PCI DSS and other card payment standards.

Program dependencies complicate mobile security

For mobile payment app makers who want to demonstrate compliance to the RBI’s DPSC, PCI DSS and other regulations, they need to build a full suite of protections that include RASP, code obfuscation, anti-reverse engineering, mobile data encryption, jailbreak/root prevention, MitM protection, mobile fraud prevention and mobile malware prevention.

Unfortunately most security solutions rely on developers to code the protections themselves or implement an SDK. To achieve the comprehensive protections outlined above, would take months of development work, work that would need to be done for each release. In today’s agile development environment, developers just don’t have the time, resources and expertise to do this work. And in addition, cybercriminals are constantly looking for new methods and tools to exploit vulnerabilities and defraud consumers.

The only way app makers can stay ahead of the ever-changing threat landscape is to use developer best practices to building security in their mobile payment apps. Developers should invest in an automated cyber-defense system that powers continuous building, testing and monitoring of mobile security features within their CI/CD pipeline, without causing any disruption to the existing DevOps workflows. This way, apps can continue to serve users without being bogged down by technical issues. And to demonstrate compliance with the DPSC and other regulations, such a system should become the security system of record that provides the cvber and dev teams with an Artifact of Proof for each build and for each release. That way demonstrating regulatory compliance is fast and easy.

Digital payment has become the new normal for Indian customers, which means the risk of losing both their data and funds to cyberattacks will increase as well. For app makers, creating robust and comprehensive security features requires them to identify and overcome technical and regulatory challenges, build the required security in a rapid and agile way so they can continue to release new versions of their apps quickly and provide the best experience for their customers.

Author: Jan Sysmans, Mobile App Security Evangelist at Appdome