/Logo%202023.svg "Logo 2023"){kind=small}
3 min read
Whether you’re tapping to pay at a coffee shop, or sending money to a friend, or even providing identification, mobile wallets have become the go-to for fast and convenient transactions. In addition to the Google and IOS Wallets on our phones, many loyalty applications, cryptocurrency trading applications, credit card companies and governments agencies, are creating their own wallets to provide identity verifications. As with anything digital, security is paramount. Cybercriminals are always on the lookout for ways to exploit weaknesses, and while on-device hardware security provides a strong foundation, it isn’t cybercriminal proof.
More recently, apps available in Google Play and the App Store were embedded with a malicious SDK/framework designed to steal recovery phrases for crypto wallets. These malicious apps, when opened, will decrypt a malware module undetected by app store security screening and launch an OCR plug-in built with Google’s ML Kit library, and parse images in the gallery and recognize potentially sensitive information like passwords or personal information.
As most wallets use the device nearfield capability to present payment and identity information to a POS or reader, it is relatively simple for a malicious app to access information and create a man-in-the-middle attack to harvest card or identity information. This becomes even easier when a phone is rooted or emulated.
Alarmingly, when digital identity is stored and presented from a wallet, it creates a larger problem as many banking systems are approving transactions, without verifying digital identity, at time of operation. If digital identity is also harvested and compromised, it could be used to approve life affecting decisions.
What steps can app developers take to lock down mobile wallets and keep them safe from attacks?
-
Lock Down Data with Strong Encryption
One of the easiest ways for hackers to steal sensitive information is by exploiting weak data protection. If your mobile wallet stores payment details on the phone, and / or transmits them without appropriate encryption, it makes it much simpler for cybercriminals to gain the keys to your account.
So, what can be done?
Always ensure use of strong encryption, whether it’s sitting in storage or moving between systems. Strong encryption ensures that even if an attacker intercepts the data, it’s unreadable and useless to them. Combining this with robust input validation can help prevent attackers from injecting malicious code , or extracting sensitive details, from your transactions.
-
Design in Anti-Tampering
Tampering is one of the biggest threats to mobile wallet security. Hackers can manipulate your app, inject malware, or adjust system settings to bypass security protections. Even with secure hardware, if your app is susceptible to tampering there’s little that can be done.
So, what can be done?
Design an anti-tampering measure right into your app. Use techniques like runtime application self-protection (RASP), integrity checks, and code obfuscation to make it harder for attackers to modify your app or inject malicious code. Ensure the application can detect any modifications to the code or runtime and respond with a fail-safe mechanism, such as blocking login with clear instructions with reasons due to comprised device or causing the app to crash.
-
Don’t Rely on Hardware Alone—Use Secure Cryptographic Protocols
Modern mobile services offer hardware security modules (HSMs), and Secure Cryptographic Devices (SCDs) offer strong protections, but relying solely on them is risky. Hardware can still be compromised, and when that happens, attackers can exploit cryptographic operations to gain access to sensitive data.
So, what can be done?
To reduce this, using secure cryptographic measures at the software level to complement hardware security is a must. This means implementing strong encryption algorithms, secure key management practices (stored outside of the device), with additional layers of security that protect cryptographic operation, even if the hardware is compromised.
-
Introduce Regular Security Audits & Updates
Without consistently checking for vulnerabilities and providing updates, you’re leaving your mobile wallet exposed to emerging threats.
So, what can be done?
Ensure your app-dev teams consistently apply static and dynamic testing for known vulnerabilities, published by OWASP and ENISA. Do this by scheduling regular security audits and updates quarterly, to counter weaknesses before attackers do. Proactive security maintenance keeps you ahead of the game and makes it harder for attackers to find and exploit flaws.
-
Educate Users
Users are often the weakest link in security, whether it’s falling for phishing scams, using weak passwords, connecting to unsecured networks, or sharing screen due to social engineering.
So, what can be done?
Designing security best practices through user-journeys, the use of education, prompts to encourage strong unique passwords and enforcing multi-factor authentication (MFA), goes a long way. Guiding your users during account creation and verification helps to warn them about suspicious activity. The more users know about protecting themselves, the less likely they are to fall victim to cyberattacks.
Securing mobile wallets isn’t just about relying on hardware—it’s about taking a multi-layered approach that combines encryption, anti-tampering measures, cryptographic security, regular updates, and user education. By implementing these five strategies, you can significantly reduce the risk of attacks and ensure that mobile wallets remain a safe and convenient way to transact in today’s digital world.
---
Want to dive deeper into the world of secure digital identities and learn how to protect your mobile wallet against evolving threats? Download Cryptomathic's comprehensive ebook, "Securing the European Digital Identity Wallet," to explore best practices, advanced security measures, and how to stay ahead of cybercriminals.
