Solutions
By Industry
Banking & Finance Telecommunication Public Utilities Payment Industry-agnostic
By Category
AI Data Lake & DWH Customer 360 Digital Banking Content Services Security Billing Software Smart City and Traffic Management Enterprise Resource Planning (ERP) Customer Experience
Investor
Investor relations
Investor Relations Center Dividend Policy Shareholders Analysts Financial Calendar Closed Periods IR Contact
Financial Information
Financial Highlights – consolidated Recent Results Financial Reports Presentations Financial Press Releases FAQ
Governance
Regulatory Filing Legal Environment Auditor Corporate Governance IPO
Career Center Become a Partner
About
About the Group Governance Company Structure Group Policies Norms & Certificates ESG

Mobile App Security

Mobile applications have become a primary interface for banking, payments, healthcare, and enterprise productivity, making them a high-value target for cybercriminals. Unlike traditional software deployed in controlled server environments, mobile apps run on devices outside the organization's security perimeter, in environments that may be rooted, jailbroken, or infected with malware. Without adequate mobile app security controls, attackers can reverse-engineer app logic, steal credentials and cryptographic keys, inject malicious code, perform overlay attacks to capture user input, and distribute tampered clones of legitimate apps. A strong mobile app security strategy protects both the application and its users, preserves regulatory compliance (e.g., PSD2, GDPR, DORA), and safeguards the organization's brand and customer trust.

Learn more about the importance of mobile app security.

The most common mobile app vulnerabilities, as documented by the OWASP Mobile Top 10, include:

  • Insecure Data Storage: Sensitive data stored in plaintext on the device, accessible to malicious apps or physical attackers.
  • Insufficient Cryptography: Use of weak, outdated, or incorrectly implemented encryption algorithms.
  • Insecure Communication: Failure to enforce TLS or improper certificate validation, enabling man-in-the-middle attacks.
  • Insecure Authentication: Weak or missing authentication controls allowing unauthorized access.
  • Improper Platform Usage: Misuse of platform APIs, permissions, or features such as clipboard access or background location.
  • Code Tampering: Modification of the app binary to bypass security controls or inject malicious functionality.
  • Reverse Engineering: Lack of obfuscation enabling attackers to analyze app logic, extract secrets, or clone the app.
  • Extraneous Functionality: Debug code or hidden backdoors left in production releases.

Addressing these vulnerabilities requires a layered mobile security approach combining secure coding practices, code obfuscation, RASP, and runtime integrity monitoring.

Learn more about mobile app vulnerabilities.

Reverse engineering in mobile app security is the process of deconstructing a compiled app binary to understand its internal logic, architecture, algorithms, and embedded data , without access to the original source code. Attackers use reverse engineering tools (such as jadx, apktool, Frida, or Ghidra) to analyze how an app works, discover hardcoded API keys and cryptographic secrets, identify exploitable logic flaws, and create unauthorized clones or modified versions of the app. Reverse engineering is a prerequisite for many other mobile attacks, including tampering, credential theft, and overlay fraud. The primary defenses are code obfuscation (making the code unreadable after decompilation) and binary protection techniques that prevent static analysis tools from fully reconstructing the app logic.

Watch webinar on understanding and preventing reverse engineering.

App tampering is the unauthorized modification of a mobile application's binary code, resources, configuration files, or runtime behavior. Attackers tamper with apps to bypass license checks or paywalls, remove security controls such as certificate pinning or root detection, inject malicious code to steal credentials or intercept communications, or repackage and redistribute the app as a trojanized fake. Tampered apps pose a significant threat to users who unknowingly install compromised versions, and to organizations whose brand and security posture is undermined. Anti-tampering controls, including cryptographic code signing, runtime integrity verification, and RASP, detect and respond to tampering attempts in real time.

Code obfuscation is a mobile and software security technique that transforms an application's source code or compiled binary into a functionally identical but extremely difficult-to-understand form. Obfuscation does not change what the code does, it only makes it much harder for attackers using reverse engineering tools to understand how it does it. Common obfuscation techniques include renaming classes, methods, and variables to meaningless identifiers; encrypting strings; inserting dummy code and dead branches to confuse analysis; and applying control flow obfuscation to scramble the execution path. Code obfuscation is a critical first layer of mobile app protection, making it significantly harder to extract business logic, API keys, cryptographic secrets, or authentication mechanisms from the app.

RASP (Runtime Application Self-Protection) is a security technology built directly into a mobile or web application that protects it from attacks while it is running, from the inside out. Unlike firewalls or network-based security that protect the perimeter around an application, RASP sits inside the app itself and monitors its behavior in real time. If RASP detects a threat, such as an attacker trying to hook into the app's functions, run it in an emulator, attach a debugger, or tamper with its code, it can block the attack, terminate the session, or alert the security team, all without any human intervention. Think of RASP as a built-in bodyguard that travels with the app wherever it runs, providing protection even in hostile or uncontrolled environments.

Learn more about RASP.

Mobile app shielding is a comprehensive set of security protections applied to a mobile application to make it resilient against attacks, even when deployed on compromised, rooted, or jailbroken devices. It combines multiple layers of defense into a unified security wrapper built directly into the app, typically including: code obfuscation to prevent reverse engineering, RASP (Runtime Application Self-Protection) for real-time threat detection and response, anti-debugging and anti-tampering controls, root and jailbreak detection, emulator detection, and runtime integrity verification. App shielding is particularly important for applications operating in uncontrolled end-user environments, such as mobile banking apps, payment apps, and digital identity solutions, where the organization cannot control the security state of the device.

Learn more about mobile app shielding.

Mobile app hardening is the process of applying a comprehensive set of security controls to a mobile or web application to significantly increase its resistance to attacks, particularly when deployed in untrusted, hostile, or uncontrolled environments. For mobile apps, hardening encompasses a multi-layered approach including: code obfuscation and binary protection to prevent reverse engineering; RASP for runtime threat detection and response; anti-debugging and anti-tampering controls; secure storage enforcement to prevent sensitive data from being stored in accessible locations; certificate pinning to prevent man-in-the-middle attacks; and root/jailbreak detection to identify compromised device environments. A hardened application maintains its security posture and continues to protect sensitive operations even when running on a compromised device.

Learn more about mobile app hardening.

Mobile malware is malicious software specifically designed to infect smartphones and tablets, enabling attackers to steal sensitive data, spy on users, intercept communications, or gain unauthorized control of the device. Common types of mobile malware include:

  • Banking Trojans: Overlay the screens of legitimate banking apps to steal credentials and OTPs.
  • Spyware: Silently monitors and transmits user activity, keystrokes, and communications to a remote attacker.
  • Ransomware: Encrypts device data or locks the screen, demanding a ransom for restoration.
  • Adware: Generates revenue for attackers through unwanted advertising while consuming device resources.
  • RATs (Remote Access Trojans): Give attackers full remote control over the infected device.

Mobile malware is typically distributed through malicious app stores, phishing links, trojanized apps, and drive-by downloads. Mobile app security controls such as RASP, integrity checking, and overlay detection are key defenses.

A rooted device (Android) or jailbroken device (iOS) is a smartphone or tablet on which the manufacturer's software restrictions have been removed, granting the user, and any software running on the device, unrestricted, root-level access to the operating system. While rooting and jailbreaking can enable greater device customization, they also disable key platform security features including app sandboxing, verified boot, and system integrity protections. From a security perspective, rooted and jailbroken devices are significantly more vulnerable: they can run unauthorized apps from untrusted sources, allow malware to operate with elevated privileges, and enable attackers to hook into or tamper with legitimate applications. Security-sensitive apps, such as banking, payment, and authentication apps, implement root and jailbreak detection to refuse operation or warn users when a compromised device environment is detected.

Learn more about the risks of jailbreaking.

Mobile app integrity refers to the guarantee that a mobile application has not been altered, tampered with, or repackaged since it was originally built, signed, and published by its developer. App integrity verification works by validating cryptographic signatures and checksums of the app's components at runtime, ensuring that every part of the app, its code, resources, and configuration, matches the original authorized version. If any modification is detected, the app can refuse to run, terminate the session, or alert the security team. App integrity is critical for preventing the distribution and use of trojanized app clones, which are a common vector for credential theft, fraud, and data exfiltration in mobile banking and payment environments.

Learn more about mobile app integrity check.

The OWASP Mobile Top 10 is a regularly updated list published by the Open Worldwide Application Security Project (OWASP) that identifies the ten most critical security risks affecting mobile applications. It serves as an authoritative reference for mobile app developers, security teams, and auditors, providing guidance on identifying, understanding, and mitigating the most prevalent mobile vulnerabilities. The current OWASP Mobile Top 10 includes risks such as improper credential usage, inadequate supply chain security, insecure authentication and authorization, insufficient input/output validation, insecure communication, inadequate privacy controls, insufficient binary protections, security misconfiguration, insecure data storage, and insufficient cryptography. Aligning mobile app security practices with the OWASP Mobile Top 10 is considered an industry best practice and is referenced in many regulatory security frameworks.

Learn more about OWASP top 10 vulnerabilites for mobile.

Mobile threat detection is the real-time identification and analysis of security threats targeting mobile applications and the devices they run on. It encompasses a broad range of detection capabilities including: identifying rooted or jailbroken devices that pose elevated risk; detecting the presence of malware, spyware, or unauthorized apps on the device; recognizing hooking frameworks and debugger attachment attempts; detecting emulator or virtual device environments commonly used for automated fraud; monitoring for overlay attacks that attempt to capture user input; and identifying tampering with the app binary or its runtime environment. Mobile threat detection is implemented through RASP, mobile security SDKs, and mobile threat defense (MTD) platforms, providing the visibility needed to respond to threats in real time without requiring server-side intervention.

An overlay attack is a technique in which malicious software displays a fake, transparent screen on top of a legitimate app, such as a banking or payment application, to capture credentials, OTPs, or card details as the user types them. The victim interacts with what appears to be the genuine app, unaware their input is being intercepted. Overlay attacks are among the most common techniques used by banking trojans on Android. Defenses include RASP-based overlay detection and runtime integrity monitoring.

A hooking attack intercepts function calls within a running mobile application, allowing an attacker to monitor, modify, or redirect app behavior without altering the app binary. Using frameworks such as Frida or Xposed, attackers hook into sensitive functions, such as authentication checks, encryption routines, or API calls, to extract credentials, bypass security controls, or manipulate transaction data. Hooking attacks require the app to be running and are typically performed on rooted or jailbroken devices. RASP detects and blocks hooking attempts at runtime.

Learn more about the risks of mobile app hookign.

Mobile emulators simulate real device environments on desktop computers, allowing fraudsters to impersonate thousands of different devices from a single machine. In fraud attacks, emulators are used to automate credential stuffing, account takeover attempts, and fake account creation at scale, bypassing device-based fraud signals that rely on real hardware fingerprints. Emulator-based fraud is particularly prevalent in mobile banking and payments. Detection involves identifying emulator artifacts (inconsistent hardware signatures, missing sensors, abnormal system properties) at the application layer.

Learn more about mobile emulators fraud.

Dynamic instrumentation is the process of injecting code into a running application to observe or modify its behavior in real time, without recompiling it. Tools such as Frida enable attackers to hook into app functions, dump memory, bypass certificate pinning, extract cryptographic keys, and disable security controls, all while the app is executing. It is one of the most powerful techniques available to mobile app attackers and is difficult to detect with static analysis alone. RASP and anti-hooking controls are the primary defenses.

Tamper detection works by validating the app's cryptographic signature and checksums at runtime, confirming that the binary, resources, and configuration files match the original signed version published by the developer. If any component has been modified (for example, to remove license checks, inject malicious code, or bypass authentication) the integrity check fails and the app can refuse to run or terminate the session. Tamper detection is typically implemented as part of a RASP or app shielding solution and operates continuously throughout the app's lifecycle, not just at startup.

RASP (Runtime Application Self-Protection) is embedded directly into the app and continuously monitors its execution environment. When a threat is detected (such as a debugger being attached, a hooking framework being active, the app running in an emulator, the device being rooted or jailbroken, or the app binary having been tampered with) RASP can respond immediately by blocking the specific operation, terminating the session, or alerting the security team. Because RASP operates from inside the app, it provides protection regardless of the network environment or device security state, unlike perimeter controls that can be bypassed.

Learn more about RASP.

A mobile WAF (Web Application Firewall) operates at the network layer, inspecting HTTP/S traffic between the app and the server to block malicious requests. It protects the server-side API but has no visibility into what is happening inside the app itself. RASP operates inside the app at the application layer, protecting the client-side runtime from threats such as hooking, tampering, emulator use, and reverse engineering - threats a WAF cannot see. The two are complementary: a WAF secures the backend, RASP secures the app.

Certificate pinning is a technique that hardcodes the expected TLS certificate or public key directly into the mobile app, so the app only accepts connections from a server presenting that specific certificate, regardless of what the device's certificate store trusts. This prevents man-in-the-middle attacks where an attacker intercepts encrypted traffic by presenting a fraudulent but CA-signed certificate. Without pinning, an attacker who can install a trusted certificate on the device can decrypt all app traffic. Certificate pinning is particularly important for banking and payment apps where API traffic contains sensitive financial data.

The terms are closely related and often used interchangeably, but there is a meaningful distinction. App hardening refers to the broader process of applying security controls to reduce an application's attack surface, including secure coding practices, removal of debug code, secure storage configuration, and minimizing permissions. App shielding is a specific subset of hardening focused on protecting the app binary and runtime from external attack through code obfuscation, RASP, anti-tampering, and anti-debugging controls. In practice, a fully hardened app incorporates shielding as one of its layers, alongside other secure development lifecycle (SDLC) controls.

Banking and financial mobile apps are subject to several overlapping security standards and regulatory requirements.

PSD2 requires Strong Customer Authentication (SCA) and dynamic linking for payment transactions in Europe.

The OWASP Mobile Application Security Verification Standard (MASVS) defines security requirements across architecture, data storage, cryptography, authentication, nework communication and resilience.

DORA requires financial entities to manage ICT risks, including mobile app security, as a part of their digital operational resilience framework.

PCI DSS applies to any app that processes, stores, or transmits payment card data.

National financial regulators (such as EBA guidelines) may impose additional requirements specific to mobile banking.

Yes. PSD2 directly impacts mobile app security in two ways. First, it mandates Strong Customer Authentication (SCA) for payment initiation and account access, requiring mobile apps to implement MFA using at least two independent factors. Second, it requires dynamic linking. Each transaction must be bound to a specific amount and payee via a unique authentication code, preventing transaction manipulation attacks such as man-in-the-browser.

Beyond authentication, PSD2's broader security obligations, combined with EBA guidelines on operational and security risk, require payment service providers to implement measures that protect the integrity and confidentiality of users' personalized security credentials, which extends to the mobile app environment.

NIS2 does not regulate mobile applications directly, but it applies to the organizations that develop and operate them if those organizations fall within its scope. This includes entities in sectors such as banking, financial market infrastructure, digital infrastructure, and managed service providers. For in-scope organizations, NIS2 requires appropriate and proportionate technical security measures across their ICT environment, including the applications they develop and operate. This encompasses mobile apps that form part of the organization's service delivery, particularly those handling sensitive data or performing critical functions. NIS2 also requires supply chain security measures, which extend to third-party mobile SDKs and libraries.

Learn more about NIS2.

An unprotected mobile app can be reverse-engineered within hours using freely available tools, exposing business logic, API keys, cryptographic secrets, and authentication mechanisms. Attackers can use this knowledge to create counterfeit clones distributed through unofficial app stores, conduct targeted API attacks using extracted credentials, and bypass security controls entirely. For end users, unprotected apps are vulnerable to overlay attacks, credential theft, and session hijacking. For the organization, the consequences include financial fraud, data breaches, regulatory penalties under GDPR and PSD2, and lasting reputational damage. These are particularly severe in financial services where customer trust is a core business asset.

The key evaluation criteria are:

  • depth of protection (does it cover obfuscation, RASP, anti-tampering, root/jailbreak detection, emulator detection, and certificate pinning in a single solution?);
  • integration simplicity (SDK-based solutions that integrate without requiring source code changes reduce deployment friction significantly);
  • performance impact (security controls must not materially degrade app performance or battery life);
  • coverage across platforms (iOS and Android);
  • configurability of threat responses (block, warn, or log depending on the threat severity);
  • vendor expertise in your sector.

For regulated industries, verify that the solution supports compliance with PSD2, DORA, and OWASP MASVS requirements.

The direct costs of a mobile app security breach include fraud losses (unauthorized transactions, account takeovers), incident response and forensic investigation, mandatory breach notification under GDPR (which requires notification within 72 hours and can trigger fines of up to 4% of global turnover), regulatory penalties, and legal liability. Indirect costs, often larger, include customer churn, reputational damage, loss of competitive advantage if proprietary business logic is stolen, and the engineering cost of emergency patching and re-releasing the app. For financial services organizations, a breach affecting mobile banking infrastructure can also trigger regulatory scrutiny of the entire security program under NIS2 and DORA, amplifying the long-term operational cost well beyond the immediate incident.