What have we found?
The results are far from optimistic. Less than 1% of applications were found to use all six security approaches, and approximately 10% of applications apparently do not use any countermeasures at all. Among security features, the Anti-Rooting capability is the most frequently used one, found in 78% of applications. The most rarely used capability is Anti-Cloning, it was detected in 9.2% of applications.
10% of payment applications are critically vulnerable
These results do not necessarily mean that at least 10% of payment applications are critically vulnerable and put customers or financial institutions at risk. The goal of the research was not to identify vulnerable applications but to analyze the functional capabilities of mobile payment apps. It is possible that mobile apps with zero or one security features actually ‘hide’ a custom security algorithm within their code – a practice by itself sometimes questionable. Although directly looking at an application ‘from an attacker’s perspective’ is what actually offers a developer objective data, automated evaluation of security properties could be the first step to recognize where a software solution stands in terms of security robustness, and what could be improved.
White Box Cryptography for Anti-key-recovery
Fortunately for application developers and users, there are various solutions available that can improve the security. Riscure recommend using strong obfuscation tools for anti-analysis as well as strong White Box Cryptography for Anti-key-recovery. Regarding Anti-rooting, Anti-instrumentation, Anti-tamper, and Anti-cloning, for more effective security it is better to repeatedly apply them throughout the code.
Riscure can provide its customers with the most up-to-date and strong tools and long-standing expertise in mobile security evaluation and review testing.
Interested? Register and download the whitepaper for more findings.