Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Dec 04, 2015 — Application Security expert

Mobile Payments: Protecting Applications and Data from Emerging Risks

Application Security

Holiday shopping season is upon us, and more and more buyers will be leaving their credit cards and cash in their pocket, and completing their holiday purchases via their convenient mobile phones and tablets. Most mobile payment solutions are very secure – and in fact, more secure than the old- fashioned swiping of a credit card at a point of sale terminal. But, in light of the recent rash of mobile app attacks (including Key Raider, XcodeGhost, and Shuanet) and new attack vectors that have recently emerged, we wanted to provide input for organizations that are revisiting their mobile payment security approach in preparation for the holiday shopping rush.

What threats should you be concerned about?

Techniques hackers are using to attack mobile payments continue to evolve. Of particular importance in most mobile payment apps is cryptography. We highlight cryptography because:

  • In most mobile payment apps, it’s used to encrypt data and ensure secure communications between the mobile app and the back- end server handling the transaction.
  • Many organizations don’t protect their keys or think it is too difficult to protect them. In fact, 80% of respondents to a Ponemon Institute survey sponsored by IBM identified broken cryptography as the most difficult risk to minimize.
  • Unfortunately, crypto keys represent a prime target, as hackers are utilizing a broad set of tactics to discover keys, including extracting them though memory scraping techniques. With access to an application’s crypto keys and algorithms, hackers obtain “keys to the kingdom” that unveil data and app security measures, making it quite easy for hackers to circumvent security controls and/or tamper with application logic to steal payment and personal information.

What Protection Techniques Should you Focus on?

There is no shortage of attack vectors, so the real question is: “What are the most important factors to focus on, given limited resources and time?” We believe that you’ll get the best results by taking an integrated approach that includes:

  • Compromised device detection
  • User authentication
  • Data protection
  • Run-time application protection

(Note: With these factors addressed, network protection becomes less important!) The table below summarizes what you can do to address the most effective techniques hackers are currently using to compromise mobile payment solutions. [table id=3 /] To protect all-important crypto keys in payment apps, we recommend applying White Box Cryptography in lieu of standard cryptographic implementations. The best White Box Cryptography solutions combine mathematical obfuscation in conjunction with classic code obfuscation. Together, these two forms of obfuscation help raise the bar to prohibitively high levels for hackers trying to identify keys or algorithm implementations via static analysis or dynamic analysis. White Box Cryptography protects:

  • Static keys – Embedded in applications when they ship
  • Dynamic keys – Generated on the fly at run-time
  • Sensitive user data

Finally, organizations should educate those using their mobile payment apps on some best practices. The risk of your mobile payment solution getting hacked decreases dramatically, if users:

  1. Download mobile apps only from official app stores (e.g. Google Play®, iTunes®, Facebook®, etc.)
  2. Ensure that their phone settings are set to prevent app downloads from unofficial stores (they may want to check their mobile phone’s User Guide for instructions.)
  3. Ensure private data and transactions are secure when using mobile apps, by asking their banks, retailers and credit card providers if mobile apps have been safeguarded against hacks such as: reverse-engineering, tampering or malware insertion.
  4. Avoid mobile payments over public Wi-Fi. If that’s unavoidable — because they spend a lot of time in cafés, hotels, or airports etc. -- then they should consider paying for access to a virtual private network that will significantly improve privacy on public networks.
  5. Follow their instincts. If something about the payment transaction appears to be suspicious, they should consider making the payment later on, or by a different means.

If implemented properly, these protection techniques will dramatically decrease the risk that your mobile payment app will be compromised – and prevent you from squandering profits from your holiday-related mobile transactions to cover the cost of potential data breaches. To Learn More: To learn more about how your organization can maximize mobile application security, check out our blog titled, “Top 10 Actions for Runtime Application Protection.”  

More from the Blog

View more
Jan 18, 2022

Be aware or beware: Easily insert security into your mobile apps

Application Security
COVID-19 has quickly pushed companies over the technological tipping p ...
Read More
Dec 23, 2021

Using machine learning to detect malicious packages

Application Security
Staying up to date with new technology in today’s advanced digital age ...
Read More
Dec 17, 2021

Log4j: Not the Vulnerability We Want, and Not the Vulnerability We Need

Application Security
Log4j is the reminder we didn’t need: the reminder that vulnerabilitie ...
Read More
Apr 29, 2021

Why better security means better products

Application Security
Over the past 15 years, businesses have learned a lot about the value ...
Read More
Contact Us