/Logo%202023.svg "Logo 2023"){kind=small}
/Group.svg "Group"){kind=small}
Martin Rupp (guest)
Code obfuscation is one of the most effective techniques for protecting sensitive data in mobile banking and payment apps. However, it's not always the best solution, especially when you want to protect partially displayed data, data that links to other accounts, or data that you need to send to a remote network.
In scenarios like this, the most effective way to protect your mobile app is with data obfuscation.
What is Mobile App Data Obfuscation?
Mobile app data obfuscation, or data masking, consists of hiding the original data within other modified content. It's an important part of mobile app security that protects sensitive information while ensuring it remains usable to the application.
Sandboxing or testing mobile applications in less-protected environments is one use case for data obfuscation. In this case, completely fake and useless data, disconnected from real financial systems, is used instead of real financial data. However, it remains functional.
In development management, it's also effective at preventing contractors from directly accessing sensitive databases, while having fully functional access to the systems.
App developers can also use data obfuscation in production environments. The goal here is to secure the real data and shield confidential information, like credit card numbers, social security numbers, names, and addresses. This is particularly important in cloud production environments, to prevent attackers from accessing this information.
In a wide variety of contexts, you may want the ‘look & feel’ of the masked data to remain as close as possible to the original.
5 Effective Mobile App Data Obfuscation Techniques
Substitution
You could simply substitute the original data with equivalent fake data that has an identical format and business logic. For example, substituting a database of personal records with an equivalent database, but populating it with imaginary records that look real, follow identical logic, and use realistic addresses located in substituted counties.
If such a database was stolen and leaked, only fake information would appear. The substitution technique creates acts as bait, making an attacker think they have successfully achieved their goals and thus, stopping them from proceeding further.
Shuffling
This technique consists of simply shuffling the records used by a mobile banking application and using random permutations.
For instance, in the context of personal records, birth date, address, etc., can be shuffled, making the final database useless to an attacker. This is a quick obfuscation solution but has a very low level of security.
Masking Out
This technique makes sense when sensitive information must be printed on paper or displayed on a screen. While the customer must be able to identify the corresponding data, records must appear incomplete.
For example, a well-known technique to mask out a credit card number is to replace certain digits with crosses, like so:
49XX-XXXX-XXXX-5421
While the credit card number is largely masked out, the application user can still identify and map the masked data to the full credit card number it represents.
Of course, great care must be taken so that there's enough entropy in the masking and that an attacker could not brute force the masked numbers to reconstruct the data.
Encryption
An efficient way of securing data is encryption. However, while it provides optimal security, it's not always convenient. Some encryption APIs aren't always available on all mobile operating system versions. For instance, AES is only available through Android api23 and higher.
Encryption may also slow down the application when large data are to be ciphered/deciphered and/or frequently. Additionally, obfuscating the data fully relies on an encryption key, which itself must be protected and obfuscated.
Tokenization
In general, tokenization may be the best all-around solution for mobile app data obfuscation. Developers substitute the data with a toke generated from random data and/or a one-way hash cryptographic function. A dictionary maps and unmaps the data into and from tokenized data.
Tokens are widely used by mobile banking and mobile payment applications to protect customers’ credit card data by replacing it with a proprietary number.
In Summary
Mobile app data obfuscation enhances mobile app security. It protects you and your customers against data loss/breaches, data hijacking, displaying data through unprotected interfaces, and unauthorized use of data by contractors (testers, developers, etc.) in an organization.
References and Further Reading
- Read more articles about application security for mobile banking applications (2018 - today), by Martin Rupp, Stefan Hansen and more
- MASC Mobile App Security Core (2019), Web page by Cryptomathic
- PCI Mobile Payment Acceptance Security Guidelines for Developers version 2 (September 2017), by the Emerging Technologies, PCI Security Standards Council