Recommended Responses to Security Issues
Malwarelytics for Apple provides detection of many security issues. Moreover, it provides a huge variability in both configuring these protections and reactions to security violations. Some reactions, such as app termination, are provided by the SDK. Other reactions, such as displaying a warning screen or limiting functionality, are the responsibility of the application integrating Malwarelytics for Apple.
The page provides a summary of recommended responses to various security issues that the SDK can help you with.
Summary of the Recommended Responses
Before diving into details we summarize the recommendations here. In general, we recommend:
- Terminate the app on app repackaging, when a debugger is attached, or when reverse engineering tools are detected.
- Show active warning when a jailbroken device is detected.
- Block debuggers, and hide screen contents when screen capturing is detected.
- Inform about other potential issues in some security advisor built into the app.
Responses to Security Issues
Some general approaches to handling a security violation might be:
- Display a Warning Message: The app can display a warning message informing the user that the app doesn’t support when a certain security feature is violated. This message should explain the security risks associated with using the app on such devices in such conditions and recommend fixing the issue for banking and financial operations.
- Limited Functionality: The app can limit its functionality when a security violation is detected. For example, it might disable some sensitive features like money transfers, or access to sensitive financial data to reduce the potential for unauthorized access and fraudulent activities.
- Terminate the App: If the app detects that it is running on a device with a security violation, it can immediately terminate itself to prevent any further access. This will help minimize the exposure of sensitive financial information and protect the user from potential security risks. As a general UX improvement, it is recommended to also open a website (in a browser outside the app) with an explanation while the app is being terminated.
- Silent Monitoring on Server: The app can silently monitor what’s happening on the device by sending data to the remote server. This approach is especially powerful when connected to a complex anti-fraud system analyzing inputs from various sources. The backend system can then decide the appropriate handling of the security issue. This approach should be used for all features in parallel to other approaches.
Responses to RASP Security Issues
Malwarelytics for Apple protects from a wide range of runtime issues. Some of them are more serious than others. Here we provide a list of recommended responses to these issues by a banking or a financial app.
Summary of Responses to RASP Issues
The summary here mentions RASP protection features that have a RaspObserver callback method. These features can notify the integrating app about an issue and the app can react to it. Some of the protection behaviors are automatically provided by the SDK.
| Security feature | Recommended response to security issue |
|---|---|
| Jailbroken device | Terminate the app. |
| Repackaged app | Terminate the app. |
| Attached debugger | Block debuggers or terminate the app when a debugger attaches. |
| Reverse engineering tools | Terminate the app. |
| Screenshots | Display a warning. |
| Screen capturing | Hide content and monitor silently. |
| System passcode status | Display a warning. Optionally limit sensitive functionality. |
| System biometry status | Monitor silently. Optionally display a recommendation. |
| HTTP proxy | Display a warning. |
| VPN | Display a warning. |
| Active calls | Limit sensitive functionality during a call. |
| App presence | Limit sensitive functionality when an unwanted app is installed. |
Jailbroken Devices
It is generally recommended to avoid using jailbroken devices for banking or financial apps. The integrity of jailbroken devices is compromised and security is reduced. It is far easier for attackers to bypass security measures designed to protect financial data and the integrity of financial operations within the app.
For these reasons, we generally recommend terminating the app and not allowing users to use it on a jailbroken device.
Repackaged Application
A repackaged application is a changed app and can’t be considered secure. It poses a danger to both clients and the financial institution issuing the app. Any code inside a repackaged app can be inserted, changed, or removed. Therefore security features of such apps have to be considered as compromised.
For this reason, the app should unconditionally terminate itself when it detects that it has been repackaged.
Attached Debuggers
An attached debugger poses a huge danger to the app. There’s a huge number of potential issues such as data leakage, security breaches, transaction tampering, and injection of malicious code.
For these reasons, we generally recommend either blocking debuggers from attaching or terminating the app when an attached debugger is detected.
Reverse Engineering Tools
Reverse engineering tools substantially affect the security and integrity of iOS applications. These tools can be used to jailbreak the device, hook into live processes, and modify code execution in real-time. It can be used to bypass security checks, authentication mechanisms, and other protective measures.
For these reasons, the app should unconditionally terminate itself when it detects any reverse engineering tool.
Screenshots
Screenshots taken by users can contain sensitive personal and financial information. Once a screenshot is captured, the users should take care to handle it with caution to avoid accidental leakage and exposure of the data it may contain. Unfortunately, this is often not the case.
For this reason, the app should warn users about the dangers of leaking sensitive information when it detects that a screenshot has been taken.
Screen Capturing
A financial or banking app handles a lot of sensitive data. Screen capturing can record everything happening on the screen over a period of time, not just a static image. This means all displayed sensitive information, including account numbers, balances, transaction history, and personal data, can be captured in detail. The captured recording can be accidentally or maliciously shared, leading to a significant breach of confidentiality.
The recommended approach is to hide screen contents. This way the obtained recording will not contain sensitive data. Screen capturing should be monitored silently, with no action unless additional suspicious signals appear.
System Passcode Status
Usage of system passcode is an essential security feature of all iOS devices. Not having a system passcode poses significant security risks, especially if sensitive applications like banking apps are installed. The stored personal and financial information is vulnerable to unauthorized access. Moreover, when a malicious individual gets physical access to the device, the possession authentication factor is effectively eliminated on such devices, and the risk of financial fraud greatly increases. Lastly, a lack of system passcode conflicts with several security standards and regulations, which can lead to compliance issues.
The recommended response is to display a warning and optionally limit the app’s sensitive functionality.
System Biometry Status
Usage of biometrics reduces the risk of unauthorized access to the user’s device and a banking app. PINs and passwords are frequently reused by the users. Also, there is a range of attacks for obtaining the user’s password or PIN such as phishing attacks, social engineering, and shoulder surfing.
The recommended response is to monitor the issue silently. Optionally the app can attempt to display a recommendation to the user.
Active HTTP Proxy
Active HTTP proxy can exploit issues in client-server communication when not done correctly and can lead to data interception.
The recommended response to the detection of an active HTTP proxy is to display a warning to the user.
Active VPN
Active VPN can indicate a possible fraud attempt and might be a problem from the point of regulatory compliance. While VPNs are generally used to secure internet traffic, not all VPN services are trustworthy. Some might intercept, monitor, or manipulate traffic routed through them.
The recommended response to the detection of an active VPN is to display a warning to the user.
Active Calls
An active call during the active usage of a banking app poses a risk of social engineering attacks. These attacks are very frequent and create huge financial losses.
For this reason, it’s recommended to block any sensitive functionality during the period of the call. Or even automatically reject all operations and transactions initiated during an active call.
App Presence
Remote desktop apps are a concern for all banking apps due to the potential risk they pose in financial fraud. These apps enable remote access to the device, allowing unauthorized individuals to view the screen remotely. Furthermore, some remote desktop apps may include audio sharing, which could potentially allow eavesdropping through the device’s microphone. Although it is not possible to remotely control an iOS device, attackers frequently use these apps to commit financial fraud.
The recommended response is to limit functionality while an unwanted app is present on the device. All functionality involving sensitive operations and transactions should be blocked to prevent any fraudsters from seeing any sensitive data.