Fintech App Service Vulnerability Inspection Guide from Financial Security Agency
Hello, this is LIAPP TEAM.
Fintech services must comply with the electronic financial supervision regulations under the Electronic Financial Transactions Act because electronic financial transactions are essential. Financial authorities are also working to block technical security risks, such as distributing relevant guidelines. In particular, the Financial Security Agency, the only financial security institution in Korea launched in 2015, supports safe application operation and use by conducting a "Fintech Service Vulnerability Check" to establish and check an appropriate security management system for fintech companies.
LIAPP provides security functions that meet the client security standards and protects critical information of 17 vulnerabilities of mobile apps (Android/iOS)' among the 'fintech service vulnerability check' guidelines of the Financial Security Service. We are actively supporting them to meet the standards of the Financial Security Agency.
This post explains preparing for the Financial Security Agency Regulations using LIAPP.
1. Check Items for Mobile app (Android/iOS) and Applying LIAPP
Mobile apps that provide finance and financial technology (Fintech) services are reviewed in five areas; critical information protection, transaction information forgery, client security, server security, and verification. Finance and fintech service companies should refer to development based on security checks and derive development security requirements based on items in both web and mobile areas.
Until now, many organizations have focused only on networks to strengthen security. However, the activation of wireless and mobile devices can cause significant problems by accessing the Internet or an internal network vulnerable to security without the organization's Internet parameters.
* Memory Protection
The application execution code, user accounts, and valuable functions are decrypted and stored in plain text in memory, which can expose sensitive information inside the application. A memory exposure vulnerability occurs when sensitive information is stored on the source code and is exposed to memory in plaintext without encryption. All variables that store important information must be encrypted to solve this problem. LIAPP blocks the exposure of sensitive data in memory through a separate encryption module that can encrypt memory values.
* Preventing Exposure in Debug Logs
Developers use the Log Class for debugging when developing apps. After the development is completed, if the Log Class used as the debugging code is compiled and distributed without deletion, the debugging code of the app will be executed inside the device. At this time, if the debugging code contains critical data such as personal information, server authentication information, and essential information on app logic, it can be easily leaked to the outside by malicious apps. To address this vulnerability, LIAPP deletes sensitive information in the debug log to prevent exposure of the debug log.
* Applying Screen Protection for Important Information
LIAPP prevents you from capturing important information of the application screen through the capture protection function. It prevents all screen captures, from basic screen capture control using shortcut keys to screen capture using an application, screen capture connected to an external device, and screen capture prevention using an emulator environment. In addition, if the screen capture prevention function is applied, the indicated-on screen is displayed in black during the remote control.
* Applying Protection for Information Input
Important personal information such as resident registration number, account number, and public certificate password is converted into one-time data through LIAPP's security keypad (LIKEY) function and transmitted to the server. However, unlike the existing security keypad method that uses encryption, LIAPP outputs different one-time data each time you enter personal information and sends it to the server. And this one-time data sent to the server cannot be decrypted.
* Applying Tampering Detection
The app tampering encourages users to leave by changing the normal app to a modulated app to steal customer information or redistributing the forged paid app through illegal sites. LIAPP detects tampering of important core files through a self-verification algorithm and protects it safely by blocking the app execution itself when app tampering is detected.
* Applying Hacking OS Detection
Apps protected with LIAPP can block execution on rooted/jailbroken terminals and even detect installed hacking tools to hide rooting and stop app execution. This function can be applied immediately by the administrator changing it to the ON/OFF option.
* Applying Anti-Debugging
The original purpose of debugging is to find bugs in executable code, but it is used by hackers to understand how programs work or to attack apps by tampering with memory. LIAPP thus blocks debugging that attempts to access the application process and perform static or dynamic analysis. LIAPP protects sensitive information by essentially blocking applications from being analyzed by shutting down or causing errors in the debugs.
* Applying Source Code Obfuscation
Since the source code contains important information about the entire application, LIAPP's obfuscation function is applied to protect the source code from being viewed to protect intellectual property rights. In particular, the obfuscation of LIAPP not only rearranges the source code to make it difficult to read but also provides the ability to block the source from being seen by encrypting the entire source code of the app itself.
* Applying Anti-Virus
Anti-Virus is a function to protect device users, and it blocks the app's execution so that the user's information is not leaked when the user of the app service runs the LIAPP-applied app on a device with a risk of security exposure such as malicious code.
2. How About Protect Your App with LIAPP?
Since fintech apps perform security verification in a state that has already been implemented, if there are security vulnerabilities, it is necessary to modify the code or re-implement it from the design stage. Therefore, it is true that it is not efficient in terms of cost and time. Therefore, when implementing each mobile app, a security verification method is required for each analysis/design stage, development stage, and test stage. Existing security solutions take about a month to apply, but LIAPP uses a cloud server to apply all security functions with one click easily.
LIAPP TEAM provides security expert consulting in the development process of fintech app service companies through LIAPP or supplements security vulnerabilities. It directly diagnoses and analyzes vulnerabilities in fintech service apps to identify security threat factors and support actions. For those preparing for the Financial Security Service screening to develop and distribute fintech applications, please feel free to contact us at any time through LIAPP TEAM, and we will provide more detailed consultations.