Jan Sysmans, Mobile App Security Evangelist, Appdome, on meeting the protection expectations of Singaporean consumers.
Alarm bells rang across Singapore’s investment community last November when five US-based investors lost more than US$10 million in a cryptocurrency scam that involved spoofed domains of the former Singapore International Monetary Exchange (Simex).
In addition, the Singapore-based crypto firm, BitKeep, lost more than $8-million USD to a hack in December 2022.
Fake or spoofed apps are among several threats to users of investment apps. A recent study revealed that 77% of financial apps have at least one vulnerability that can lead to a data breach, while 88% of apps fail cryptographic tests making them a target for data-hungry hackers.
Plugging these gaps is in everyone’s best interests, especially in the context of Singapore’s goal of becoming a global cryptocurrency hub.
And it turns out that Singaporean consumers expect app makers to protect them from hacking, fraud and malware, according to a recent Consumer Expectations of Mobile App Security survey.
Therefore, the old proverb “forewarned is forearmed” has never been more relevant and important and app makers of banking and FinTech apps won’t stand a fighting chance if they don’t protect their customers against the following threats and attacks:
- Fake apps
Scams like the Simex case are not uncommon sadly. For example, one app – masquerading as an Asian trading company – lured social media and dating site users to download the fake app which opened the door for cybercriminals to wreak havoc.
Fake apps are published through ‘Super Signature’ processes that bypass security protections and mechanisms used by official app repositories. Using Mobile Piracy Prevention solutions will ensure that your AnDroid and iOS apps will not be copied or become Trojan apps after being published to a public app store. Validating that apps signed for Apple and Google Play stores cannot be distributed to other stores is another must, as is verifying the integrity of the app bundle and all its contents at runtime. This will protect your brand against negative publicity and user backlash if fake versions and mods of your app end up on the phones of your customers.
- Overlay attacks
Mobile Banking Trojans like Sharkbot and Xenomorph are malware that uses an overlay attack – where a fake screen or window controlled by an attacker is placed on top of a legitimate application to trick users into revealing confidential information. The best defense is a no-code mobile fraud prevention solution that enables developers, publishers, studios and financial institutions to stop fraud at the source – these solutions build preemptive and defensive protections into your mobile app in minutes. A Singaporean retiree recently lost over $71,000 due to a likely overlay attack on this mobile banking app.
- Stealing private crypto keys by compromising the operating system
Private keys are everything in crypto and decentralized finance because they are used to authorize transactions and prove ownership of a Blockchain asset. However, private keys can be tampered with or stolen – leading to the theft of digital assets.
Singapore’s investors are not immune to this threat – the number of crypto scams reported to the police has jumped fivefold since 2019 – with 631 reports made in 2021.
Risks have increased as private keys moved from storage in custodial wallets to non-custodial wallets – where users take responsibility for the security of their private keys.
When fraudsters hack a device, they often look for a private key first. This threat is heightened in rooted or jailbroken devices, where software restrictions implemented by the manufacturer are compromised.
Prevent your app from running on jailbroken and rooted devices including advanced rooting tools like Magisk, ensure that your digital wallet data is encrypted at rest, use advanced white box cryptography, as well as threat-aware encryption keys to encrypt app sandbox, files, strings, resources, preferences and native libraries.
- Weak encryption
Looking at the top five attacks on investment apps, several apps were found to be using an unencrypted SQLite database in their AnDroid app, making them vulnerable. Unencrypted data in the application sandbox or SD card, in preference areas like NSUserDefaults or the clipboard are common channels targeted. Given this, data-at-rest encryption is recommended to protect data inside these areas. Hackers also target transactions, passwords and passphrases and enforcing SSL/TLS for communications – including minimum TLS version, and cipher suites are good protective measures.
- Dynamic runtime attacks and dynamic instrumentation
Modified versions of investment apps, used with emulators and simulators or on-device malware can be used by hackers to create fake accounts, activate malicious trades and transfer cryptocurrency from one investment app to another.
In Singapore, businesses have been targeted by ransomware threats in recent years with the number of cases growing by 54% between 2020 and 2021. To safeguard against these challenges, implementing runtime application self-protection (RASP) methods are recommended. In particular, deploying anti-tampering, anti-debugging and emulator-detecting solutions is advised. Implementing options to protect against the malicious use of ADB – for method hooking or other app-harming risks – as well as protection against dynamic instrumentation frameworks and toolkits like FRIDA should also be considered.
Do not sleep on security
Cyber-criminals never sleep when it comes to developing new threats, so, as a banking or FinTech app developer, staying ahead of threat actors is imperative. And investors and users of fintech apps should remain alert and vigilant. They need to do their research and demand that the app makers do more to protect their data, their use and their financial investments.
As the investment app sector is highly competitive, best-in-class security is as critical as speed and ease of use when it comes to building apps that delight Singaporeans.