By Jan Sysmans
Filipino fintech app users say security is as important as user experience, features
A RESILIENT economy bolstered by robust fundamentals and a potential rebound make 2023 a good year for Filipinos to build and diversify their investment portfolios, according to local market analysts.
This bullish outlook, coupled with financial technology (fintech) and trading and investment apps that make buying and selling stocks and trading currencies easier than ever, are reasons to be optimistic.
The Filipino digital wave is surging on the back of 168.3-million cellular mobile connections (144.5% of the population). Research also revealed that 76.7% of local consumers increased their mobile app use over the past 12 months, with e-wallet adoption and usage on the rise.
Filipinos have also embraced crypto. The Philippines is the second-ranked country in the 2022 Global Crypto Adoption Index released by blockchain analysis firm, Chainalysis, which tracks the most active cryptocurrency nations. Many Filipinos are also drawn towards digital tokens through blockchain games like Axie Infinity, with up to 40% of players coming from the Philippines at one stage.
Most Filipinos likewise have high expectations when it comes to mobile app security, according to Appdome’s recent survey. Many rank security as important as a great user experience. They have good reason to demand the best because studies show that 77% of financial apps have at least one vulnerability. By exploiting weaknesses, hackers can break through encrypted apps to access payment data. So, whether you are a digital investor or an investment app developer, here are some of the common security threats to be aware of today:
1. FAKE APPS
Fake financial services apps are a big threat. One app masquerading as an Asian trading company targeted social media and dating site users, and when they opened the app and inputted financial data, this triggered a fund transfer to cybercriminals. As most fake apps are published through a “Super Signature process‚” — bypassing security protections — anti-tampering solutions are recommended to deter hackers. Mobile Piracy Prevention, meanwhile, ensures that Android and iOS apps will not be copied or become Trojan apps when they are published in an app store.
2. OVERLAY ATTACKS
Malware such as Xenomorph and Sharkbot use overlay attacks. This is when a fake screen or a window controlled by an attacker is placed on top of a legitimate application to trick users into revealing data. In a nutshell, malicious overlays are designed to mimic the original user interface of the app being targeted and can appear in the form of a button or a data entry field. It’s worth noting that blocking overlay attacks is required by law and regulators in many countries.
3. JAILBREAK AND ROOTING THREATS
Private keys are the security essentials in crypto and decentralized finance. Stolen private keys allow hackers to steal from investors. While custodial wallets were provided to help investors manage their private keys, other offerings enabling users to self-manage their private keys have been introduced. These have risks as many crypto novices lack the expertise to manage a key.
Securing devices is also vital. Hackers can steal private keys and confidential information, and the risk is raised on a jailbroken or rooted device, when the original security protocols of a device are compromised, allowing attackers to control operating systems and payment and investment apps. Tools to block Magisk and detect jailbreak bypass tools such as Liberty Lite are highly recommended.
4. WEAK ENCRYPTION
Looking at the top five attacks on investment apps, several were found to use an unencrypted SQL lite database in their Android app, which makes them vulnerable. Unencrypted data in the application sandbox or SD card in areas like NSUserDefaults or the clipboard are common channels targeted. Given this, data at rest encryption is recommended to protect data inside these areas. Hackers also target transactions, passwords, and passphrases, and enforcing SSL/TLS for communications, including minimum TLS version, and cipher suites are good protective measures.
5. DYNAMIC RUNTIME ATTACKS
Modified investment apps equipped with emulators, simulators, or on-device malware can be used to create fake accounts, perform malicious trades, and transfer cryptocurrency from one app to another. Implementing runtime application self-protection (RASP) methods, particularly anti-tampering, anti-debugging, and preventing emulators, is a way to guard against this.
Hackers constantly look for “easy marks‚” and if your app is missing one or two security features, scammers will exploit the defensive weakness. Investment app developers, therefore, must keep providing great services, as well as security to address new threats. It is a tough balancing act, but one that is nonnegotiable.
Jan Sysmans is the Mobile App Security Evangelist at Appdome.