Selling apps outside of app stores increases the payments security risk

Register now

The release of the popular Fortnite Battle Royale game to Android users outside of the Google Play store sets a dangerous precedent both for users and for banks, merchants, payments processors and others across the ecosystem of processing payments on mobile channels.

Recently, Epic Games confirmed that it will not distribute the Android version of its Fortnite app on the official Google Play app store. Instead, Epic is forcing Android users to take the uncommon step of going straight to the website of a potentially untrusted source (i.e., not the Google Play Store), downloading an "APK" file and opening up Android's permissions to approve the game's install.

This move forces users to deactivate a crucial safeguard, which would otherwise prevent the download of potentially malicious apps onto their mobile device, placing themselves at far greater risk of exposing their devices to more malware via phishing, SMSishing, malicious ads and other schemes.
It also means that banks and other financial institutions, as well as others in the transaction ecosystem, face the increased likelihood that their mobile banking and payments apps will be exposed to malware.

To put this in context, attackers are especially focused on targeting and infiltrating mobile payments and banking apps. The security vendor Kaspersky recently revealed that it had identified an all-time high of mobile banking Trojan installation packages in the second quarter. Attackers aren’t letting up.

By encouraging users to compromise the security of their device by making setting changes, Epic’s move will reverberate across the banking/merchant/payments mobile ecosystem.

Banks and merchants should take this as a warning. They certainly prefer that their users not sideload apps (which could be malware), nor do they want users encouraged to download apps from unofficial sources, where spoofed, repackaged banking also lurk to lure potential victims. That is why virtually every financial institution and major merchant strongly advises its customers to download apps only from official app stores.

What can banks, financial institutions and others do to protect themselves and their consumers?

One obvious yet important step is to remind their users that their official apps are available only in legitimate, secure app stores.

Another equally important step is implementing app shielding technologies within their consumer-facing apps. App shielding prevents attackers from injecting malicious code into an app and repackaging it for distribution in unofficial marketplaces or websites, strengthening the resistance of their mobile apps intrusion and tampering, as well as reverse-engineering. It also makes apps “context aware” so that if a user’s Android device is rooted or allows for sideloaded apps and is potentially infected with malware, the app itself is still protected.

If you decide to use app-shielding technology to protect against these types of attacks, you can choose vendors that provide an easy-to-use portal or dashboard. Integrating app shielding is something that can be accomplished simply and quickly by visiting the app shielding portal, selecting the security features to be integrated, uploading an Android or iOS app binary and launching an automated integration process. The app-shielding technology quickly traces the app’s logic from within to bind itself to the code. The shielded version of the app can be readily downloaded and offered.

That way, whether or not the user has taken the institution’s advice to heart about downloading apps from legitimate app stores, the industry and the user are protected on the financial institution's app.

For reprint and licensing requests for this article, click here.
Mobile banking Payment processing Security risk ISO and agent