Guardsquare exclusively available via Innoviortech
The Company
This publicly traded, Pakistan-based commercial bank offers corporate and commercial investment services, international banking assistance, cash management services, and agricultural banking. On top of employing 5,000+ employees across nearly 700 branches and sub-branches to serve millions of customers across the country. Since 1991, the organization has continued to provide the best banking experience for its customers as well as giving back to the rest of the community. The organization provides customers access to their banking services via their iOS and Android apps including their main banking apps, digital wallet, and ID Verification apps. They are committed to providing their customers with a convenient, reliable, and secure banking experience through these applications. In 2022, the organization saw an approximately 40% YoY increase in net revenues across all of its business, partly thanks to its high digital banking adoption rate.
The Challenge
In 2019, a study revealed that South Asia represented 33.2% of global mobile phone users who utilize mobile phones as their primary channel for banking activities. Fast forward to 2022, the State Bank of Pakistan identified that 12.3 million registered mobile phone users performed 387.5 million mobile phone banking transactions with a staggering YoY increase of 141.1% in transaction value. As the number of customers using its mobile banking apps continued to increase, the bank quickly noticed that threat actors were increasingly targeting its apps with different kinds of attacks to cause harm. One notable risk they saw was the presence of dozens of cloned, modded, and repackaged versions of their apps distributed on the internet. So when the apps failed to pass internal pen testing, the organization’s then-new CISO knew they had to move fast. Without sufficient protection against tampering and reverse engineering, attackers could cause harm to their business by stealing and selling sensitive assets and data inside their apps, committing fraud (i.e., brand abuse, transaction fraud, account take-over (ATO)), and even launching malware attacks against their apps. Most importantly, the bank needed to maintain compliance with the State Bank’s regulatory requirements and achieve other industry compliance (i.e., PCI-DSS). Failing to comply with these requirements could result in hefty fines and ultimately lead to the revocation of the bank’s operational license in the country.
The Solution
The bank approached Guardsquare in 2019 to inquire about implementing DexGuard and iXGuard to protect their Android and iOS applications. They quickly chose to work with Guardsquare due to the company’s good reputation in the South Asian banking industry. The company’s CISO, who spearheaded the push for greater mobile app security, was impressed with the breadth and depth of security features offered by Guardsquare’s products. He found the advanced static and dynamic protection features DexGuard and iXGuard offer to be the exact solutions necessary to mitigate all the identified security risks. The protection features include, among others, name obfuscation, control flow obfuscation, certificate pinning, jailbreak/root detection, and hooking detection. This advanced feature set is complemented by the polymorphic protection capability that ensures that no protection configuration is ever the same between each release. Additionally, to maintain continuous visibility of their mobile applications in production, the bank also implemented ThreatCast to monitor client-side threats. The user-friendly dashboard provides the organization with real-time information on dynamic attack attempts by users, such as when the apps are being used in rooted/jailbroken devices when hooking or debugging tools are attached to the device, and when users attempt to repackage the apps. These insights can then be used to inform future app development to further enhance the bank’s security posture as well as being fed into existing SIEM and anti-fraud systems, allowing for more accurate fraud detection.
The Results
With their mobile apps fully protected, the security team was no longer able to find any cloned, modded, or repackaged versions of their apps. They were able to pass the internal and external penetration testing without any issues and maintain compliance with the country’s state bank’s requirements. To further demonstrate their commitment to maintaining the best security posture, they were able to seamlessly meet Mobile Applications (Apps) Security Guidelines issued by the country’s Payment Systems Policy & Oversight Department as well as the PCI-DSS compliance requirements. With ThreatCast, the security team now has full visibility into how their applications are being used in production, allowing them to make a more informed decision on their future app development strategies. Additionally, as a part of the CISO’s security improvement strategies, the bank also practices regular Red vs. Blue team exercises to continue improving the organization’s mobile app cyber defenses, building the security skills of each team member along the way. Moving forward, the company will continue using Guardsquare products to meet and maintain external compliance requirements and protect its apps from existing and developing threats. The bank’s CISO is also considering other applications for Guardsquare products, such as incorporating ThreatCast into their existing SIEM and exploring the use of AppSweep in their iOS and Android apps. AppSweep enables companies to seamlessly integrate mobile application security testing (MAST) throughout the application lifecycle, find and fix security vulnerabilities, and map those vulnerabilities to industry standards like OWASP
