Jan Sysmans, Mobile App Security Evangelist, Appdome, on meeting the protection expectations of Singaporean consumers.
Alarm bells rang across Singapore’s investment community last November when five American investors lost more than US$10 million in a cryptocurrency scam involving scam domains of the former Singapore International Monetary Exchange (Simex).
In addition, Singapore-based crypto firm BitKeep lost over $8 million USD to a hack in December 2022.
Fake or fraudulent programs are one of several threats to users of investment programs. A recent study revealed that 77% of financial applications have at least one vulnerability that could lead to a data breach, while 88% of applications fail cryptographic tests, making them a target for data-hungry hackers.
Plugging these gaps is in everyone’s best interest, especially in the context of Singapore’s goal of becoming a global cryptocurrency hub.
And it seems that Singaporean consumers expect app makers to protect them from hacking, fraud and malware, according to a recent consumer expectations of mobile app security survey.
That’s why the old adage “forewarned is forearmed” has never been more relevant and important and application manufacturers of banking and FinTech applications will not stand a fight if they do not protect their customers from the following threats and attacks:
Unfortunately, scams like the Simex case are not uncommon. For example, one app – posing as an Asian trading company – lured users of social media and dating sites into downloading the fake app which opened the door for cybercriminals to wreak havoc.
Fake apps are published through ‘Super Signature’ processes that bypass security protections and mechanisms used by official app repositories. Using mobile piracy prevention solutions will ensure that your Android and iOS apps will not be copied or trojanized after publishing to a public app store. Validating that apps signed for Apple and Google Play stores cannot be distributed to other stores is another must, as is verifying the integrity of the app bundle and all its content at runtime. This will protect your brand from negative publicity and user backlash if fake versions and mods of your app end up on your customers’ phones.
Mobile Banking Trojans such as Sharkbot and Xenomorph are malware that use an overlay attack – where a fake screen or window controlled by an attacker is placed on top of a legitimate application to trick users into revealing confidential information . The best defense is a no-code mobile fraud prevention solution that enables developers, publishers, studios and financial institutions to stop fraud at the source – these solutions build preventative and defensive protection into your mobile app in minutes. A Singaporean retiree recently lost more than $71,000 due to a probable overlay attack on this mobile banking app.
Theft of private crypto keys by compromising the operating system
Private keys are everything in crypto and decentralized finance because they are used to authorize transactions and prove ownership of a Blockchain asset. However, private keys can be tampered with or stolen – leading to the theft of digital assets.
Singapore’s investors are not immune to this threat – the number of crypto scams reported to the police has increased fivefold since 2019 – with 631 reports made in 2021.
Risks have increased as private keys have moved from storage in custodial wallets to non-custodial wallets – where users take responsibility for the security of their private keys.
When fraudsters hack a device, they often look for a private key first. This threat is increased in rooted or jailbroken devices, where software restrictions implemented by the manufacturer are compromised.
Prevent your app from running on jailbroken and rooted devices, including advanced root tools like Magisk, ensure your digital wallet data is encrypted at rest, use advanced whitebox cryptography, as well as threat-aware encryption keys to encrypt app sandbox, files, strings, resources , preferences and native libraries.
Looking at the top five attacks on investment apps, several apps were found to use an unencrypted SQLite database in their Android app, making them vulnerable. Unencrypted data in the application sandbox or SD card, in preference areas such as NSUserDefaults or the clipboard are common channels that are targeted. Given this, data-at-rest encryption is recommended to protect data within these areas. Hackers also target transactions, passwords and passphrases and the application of SSL/TLS for communication – including minimum TLS version, and cipher suites are good safeguards.
Dynamic runtime attacks and dynamic instrumentation
Modified versions of investment programs, used with emulators and simulators or on-device malware, can be used by hackers to create fake accounts, enable malicious transactions, and transfer cryptocurrency from one investment program to another.
In Singapore, businesses have been targeted by ransomware threats in recent years, with the number of cases growing by 54% between 2020 and 2021. To protect against these challenges, the implementation of runtime application self-protection (RASP) methods is recommended. It is especially advised to deploy anti-tampering, anti-debugging and emulator detection solutions. Implementation of options to protect against the malicious use of ADB – for method hacking or other app-damaging risks – as well as protection against dynamic instrumentation frameworks and toolkits such as FRIDA should also be considered.
Don’t sleep on security
Cybercriminals never sleep when it comes to developing new threats, so as a banking or FinTech application developer, staying ahead of threat actors is essential. And investors and users of fintech applications must remain alert and vigilant. They need to do their research and demand that the app makers do more to protect their data, their use and their financial investments.
As the investment app sector is highly competitive, best-in-class security is just as critical as speed and ease of use when it comes to building apps that delight Singaporeans.
Click below to share this article
Disclaimer for Uncirculars, with a Touch of Personality:
While we love diving into the exciting world of crypto here at Uncirculars, remember that this post, and all our content, is purely for your information and exploration. Think of it as your crypto compass, pointing you in the right direction to do your own research and make informed decisions.
No legal, tax, investment, or financial advice should be inferred from these pixels. We’re not fortune tellers or stockbrokers, just passionate crypto enthusiasts sharing our knowledge.
And just like that rollercoaster ride in your favorite DeFi protocol, past performance isn’t a guarantee of future thrills. The value of crypto assets can be as unpredictable as a moon landing, so buckle up and do your due diligence before taking the plunge.
Ultimately, any crypto adventure you embark on is yours alone. We’re just happy to be your crypto companion, cheering you on from the sidelines (and maybe sharing some snacks along the way). So research, explore, and remember, with a little knowledge and a lot of curiosity, you can navigate the crypto cosmos like a pro!
UnCirculars – Cutting through the noise, delivering unbiased crypto news