Winning the Battle for Secure Mobile Payments in the Fastly Emerging HCE Ecosystem

Until recently, the Near Field Communications (NFC) industry has been relatively stagnant due to interoperability challenges, high upfront capital costs and a complex partner relationship. What has changed and what experts believe will give fresh momentum to the NFC industry is the tremendous interest currently gathering around Host Card Emulation (HCE), especially since Google’s release of HCE capabilities in its Android (4.4) KitKat platform.

Additionally, at a recent development conference, Google has revealed that its own wallet will support the HCE platform. This intention to integrate HCE in its mobile payments/wallet strategy via the Android Pay API will provide support to phones and other smart devices which do not have hardware secure element built in into the device. This developer-friendly strategy to provide the storing of payment encryption keys via a software-based secure element approach provides mobile payment application developers with a rapid go-to-market capability.

As such, HCE is being seen as an excellent, low-cost and easy-to-install alternative to the standard secure element approach, which typically requires specific versions of devices to work.

There are various benefits attached to HCE, which many experts consider as a real game changer that will drive more NFC adoption in the near future. Earlier, even though there was enormous interest within the telecom and banking sector to launch NFC mobile applications, the key challenges were the lack of sufficient infrastructure and high costs attached to storing the user data securely inside the mobile devices.

HCE is the solution that can solve these problems as it can end the dependency on the TSM (Trusted Service Managers) and high costs of replacing NFC SIMs and installing expensive, proprietary POS (Point of Sales) terminals.

The value from adopting this open HCE approach without any hardware update requirements enables payment providers and ecosystem stakeholders to quickly scale and fully leverage the mobile computing platform to offer more secure payment options. The combination of contactless payment from Google plus mobile application protection yields a revolutionary solution for financial institutions and businesses to provide a secure mobile payment that can finally be embraced for mass adoption with confidence.

To learn more about how to associate your brand with this fastly emerging HCE ecosystem and to gain the first mover’s advantage, come see our VP of Product Management, Vince Arneja, speak at the HCE Summit on April 15 in New York, or view our archived webinar, Revolutionary Security for HCE Mobile Payments.

Arxan Shortlisted for SC Magazine Europe Award 2015

Arxan has been named a finalist in the SC Awards 2015 Europe for ‘Best Mobile Security Solution’, which acknowledges superior products and services that help customers address the most pressing cyber-security threats. The winners will be announced at the SC Awards Europe ceremony to be held on June 2 in London.

The SC Magazine Awards are the information security industry’s most prominent recognition. Winners in the Threat Solution categories are decided by an expert panel of judges, hand-picked by SC Magazine UK’s editorial team for their breadth of knowledge and experience in the information security industry. The awards honour both the cyber-security professionals working in the trenches, and the products and services that help protect today’s corporate world from a myriad of ever-changing threats.

Our mobile application protection technology protects from revenue loss, fraud, unauthorised data access, or brand loss from reverse engineering, code tampering or inserting malware into an application. This integral protection enables app owners to distribute core assets with confidence by incorporating self-protections and tamper-resistant attributes via proprietary controls into the app.

Fingers crossed the judges are impressed with the pioneering mobile application protection technology that we have to offer. Stay tuned for further announcements nearer the time of the awards on June 2.

Securing Mobile Banking Apps: You Are Only as Strong as Your Weakest Link

BY: Patrick Kehoe, CMO, Arxan

The devastating effects on revenue and brand caused by cybercriminals to consumer corporations, especially trusted organizations such as financial institutions, are by now well understood and very intimidating. What is not so well understood is how to prevent these attacks, especially in the exploding mobile environment, where customers demand innovation — and where cybercriminals are finding it easier than ever to exploit the widening gap between mobile technology and security protections.

Changing Landscape

Mobile banking services are the new “game-changers” in the banking and payments arena. In light of a number of macro trends, those who offer the best and most secure banking and payment apps will win.

Consider the following:

Mobile Banking Apps Are Your Best Driver for Customer Acquisition
  • In recent research by AlixPartners in the U.S., mobile banking was identified as the most important deciding factor when switching banks (60 percent). Mobile banking was identified as more important than fees (28 percent), branch location (21 percent) and services (21 percent).
Mobile Banking Is Critical for New End Users
  • Based on the Federal Reserve mobile device report, the use of mobile banking is highly correlated with age, with individuals between ages 18–29 accounting for approximately 44 percent of mobile banking users, relative to only 6 percent accounting for end users over 60.
Mobile Banking and Payments Opportunity Is Huge
  • According to IDC, the mobile payments market will eventually eclipse $1 trillion by 2017.
  • More than half of the6,000 commercial banks in the U.S. now offer some form of mobile banking, and that portion is projected to reach nearly 75 percent in the coming years.
  • In the Kount’s recent Mobile Payments and Fraud survey, both security and fraud are in focus; consumers are apprehensive about how to better manage fraud risk and consumer security — both growing by more than 40 percent as compared to last year.

How Secure Are Mobile Banking Apps and Mobile Devices?

Unfortunately, only a few are capitalizing on the opportunity to gain a competitive advantage by offering secure mobile apps.Recent analysis by Arxan found that the majority of paid financial services and retail apps have been hacked; read the full report here.

Mobile devices running iOS or Android are far from secure; the latest Kindsight Security Labs report from Alcatel-Lucent highlights that there are currently over 15 million infected mobile devices worldwide — a 20 percent increase from 2013. The Kindsight Security study also found an increase in mobile spyware. Of the 2.3 billion smartphones around the globe, Kindsight Security estimates that 40 percent of them contain spyware used to monitor the phone’s owner by tracking the device’s location, incoming and outgoing calls, text messages, email, Web browsing and history.

Unfamiliar Terrain

What makes the ground so fertile for such breaches?

The “surface area” for attackers to hit has grown immensely with the mobile computing explosion. In the past, when apps were run inside data centers, there used to be just a few “attack areas” for hackers to pursue — mainly focused on remotely exploiting flaws and defects in the application code.

Today’s mobile landscape introduces new threat vectors that typically aren’t considered in organizations’ mobile banking security approaches. Key threat vectors include:

1. Jailbroken or Rooted Devices: Your mobile banking app security may be state-of-the-art, but if you use it on a jailbroken or rooted device, you may be exposed to extreme risk. Users often jailbreak/root their devices, virtually breaking the security model and removing any inherent limitations, allowing mobile malware and rogue apps to infect the device and control critical functions such as SMS. Recently, a variant of the PC-based Zeus malware “ZitMo” has been used to forward SMS messages to cybercriminals as a means of circumventing out-of-band authentication.

2. Outdated OSs and Nonsecure Connections: Risk factors such as dated operating system versions, nonsecure Wi-Fi network use and pharming attacks allow cybercriminals to exploit an existing online banking session to steal funds and credentials or gain full access to the mobile device.

3. Account Takeover: Cybercriminals use mobile devices to access a victim’s account through mobile browsers or mobile banking apps. And unfortunately, they have enjoyed relative anonymity when using mobile devices that share many similar attributes, making it challenging to defend against. Server-side device ID solutions have a difficult time uniquely detecting criminal devices.

4. Cross-Channel Credential Theft: One of the prevalent enablers for account takeover is stolen credentials through phishing or malware on the online channel. In some cases, the mobile channel is not sufficient to fully execute a fraudulent transaction; fraud can either start or end on the mobile device, but most methods of attack involve at least one additional channel that fraudsters use to complete their task. To effectively protect end users and the mobile banking application, cross-reference actions need to be performed on the various channels while looking for suspicious activities. To identify mobile account takeover, one must see the entire picture — the full fraud life cycle — rather than a limited, tunnel-visioned view of just the mobile channel.

5. Attacks to the Mobile Application: When a user downloads an app, it is in binary code format, and if the steps have not been taken to protect this binary code, the app is susceptible to reverse engineering. There are many readily available tools that can reverse an application from binary format into source code. With access to source code, hackers can gain access to sensitive data and intellectual property (IP). Also, the code can be modified (e.g., security controls can be patched out), the run-time behavior of the applications can be altered and/or malicious code can be injected into the application. Once altered, the application can be repackaged and circulated to look as though it originated from a known/safe source. These and other methods of hacking an app are outlined here.

A New Model for Mobile Banking Security

In order to deal with the changing mobile threat landscape, a new set of tools is necessary. Financial institutions should embrace a comprehensive security approach that meets these evolving threats and includes the following:

  • Device risk level detection
    • Jailbroken devices
    • Outdated OSs
    • Malware infections
    • Rogue apps
  • Account takeover detection
    • Persistent device ID
  • Mobile application protection
    • Harden app to protect the confidentiality of the code
    • Protect the integrity of the app at run time

Financial institutions are constantly looking for the right mix of technologies that can securely support multiple use cases and enable productivity while keeping enterprise data protected on mobile devices. Although the offer of technologies that address mobile security is broadening and maturing, the larger portion of enterprises are still looking for basic tools to provide protection against physical loss or the use of improper applications.

Despite the growing awareness and enormous efforts financial institutions undergo, a significant gap remains between mobile technologies and security protection mechanisms. Financial institutions have been carrying vast product sets, frequently unappreciated by their customers, often with a subsequent cost in operations, technology, service and, sometimes, risk and regulatory challenges.

The following three steps provide enhanced security against evolving mobile threats:

Build Your App Safely
  • There are several factors to consider while designing an app — risk mitigation, security management, compliance and Web-based/mobile application source code vulnerabilities, just to name a few.
  • IBM® Security AppScan® can enhance Web application security and mobile application security, improve application security program management and help app developers meet regulatory compliance obligations. By scanning your Web and mobile applications prior to deployment, AppScan enables you to identify security vulnerabilities, generate reports and remediate recommended issues.
Keep the App Safe We recommend exploring three techniques:

  • First, deploy a dedicated library designed to enable application security services for mobile applications. This library can be used to build custom apps with various advanced security features.
    • IBM Security Trusteer’s Mobile SDK protects organizations’ native mobile applications by performing device risk factor analysis while providing a persistent mobile device ID. The SDK can be used to build custom applications with advanced security features with the following functionality provided:
      • Device risk detection based on indicators such as Jailbroken/rooted device detection, malware infection detection and Wi-Fi network security state.
      • Active protection of IP and SSL.
      • Unique and persistent device ID creation.
  • Second, leverage protection that detects attacks at run time.
    • Arxan guards can verify the integrity of the application, its data or the app environment at run time. In addition to detecting hacking attempts by malicious actors, guards can also detect another seemingly innocuous but malicious application from performing a drive-by attack at run time. Another app can compromise your app via run-time method swizzling or function/API hooking to steal information or gain control.
  • Third, establish a formal mechanism to react to attacks.
    • With Arxan, you can define how the app should react upon attack detection. For instance, the app can shut down or not start to prevent the use of a compromised application. Also, self-repair capabilities can replace tampered code or data with original correct code. Finally, the app can alert and phone home to your back-end system of choice.
Prevent Misuse
  • This involves real-time fraud detection via evidence-based, cross-channel intelligence. As threats become more sophisticated, stopping fraud requires more decisive action, such as putting the transaction on hold and manually reviewing high-risk/high-value transactions. This can impact staff who investigate fraud and, ultimately, affect the customer experience. Several tools are specifically designed to prevent misuse:
    • IBM Security Trusteer Pinpoint Criminal Detection™ is designed to protect against account takeover and fraudulent transactions by combining traditional device IDs; geolocation and transactional modeling; and critical fraud indicators. This information is correlated using big data technologies to link events across time, users, activities and platforms, whether they’re mobile or PC-based. Phishing, malware and other high-risk indicators are used for evidence-based fraud detection. By matching new and spoofed device fingerprints, real-time phishing incidents and malware-infected account access history can be detected. Trusteer can identify account takeover attempts, minimize customer burden and help eliminate IT overhead.
    • Arxan Application Protection is designed to protect binary code. Binary protections slow down an adversary from analyzing exposed interfaces and reverse engineering the code within a mobile app. All too often, an adversary will steal code and recycle it within another app for resale. Arxan protection defends applications against compromise by obfuscating or scrambling the code and encrypting or pre-damaging some or all of the application statically or at run time.

Protect your mobile banking apps at every stage of development with IBM

Learn More…

Detailed steps you can take to protect mobile banking apps will be reviewed in detail during our Jan. 29 webinar. We’ll explore mobile threat vectors in more detail and educate you about how to establish a secure mobile banking solution. This will enable you to win the mobile banking battle!

This blog was co-authored by ASSAF REGEV

The Increased Need to Protect Mobile Apps

Our Third Annual State of Mobile App Security Report Reveals Sobering News about the Most Popular Apps

In mid-November, we released Arxan’s annual State of Mobile App Security report. Hot on the heels of the WireLurker malware, Masque Attack exploits and an investigative report by the Associated Press on how easy it is to hack an app, our research was especially timely and useful to the media, developers, and our customers.

Our research revealed that 97% of the top 100 paid Android apps and 87% of the top 100 paid Apple iOS apps have been hacked. In addition to an increase in app hacks found for commonly downloaded Popular Free apps, this year’s research also revealed evidence of widespread hacking of financial services, healthcare/medical, and retail/merchant apps, largely driven by hacks of Android apps.

The findings of increased app hacking are especially noteworthy amidst today’s rapid growth in global mobile app usage. Free app downloads are forecasted to increase at a rate of 99% to reach 253 billion downloads in 2017, and paid app downloads are projected to reach almost 15 billion, a 33% increase by 2017. This explosion in app usage is seen across all verticals and led by apps running on the Android mobile operating system, which continues to dominate with 85% market share.

The report included key recommendations to improve the security of mobile applications, including that:

  • Applications with high-risk profiles running on any mobile platform should be made tamper-resistant and capable of defending themselves and detecting threats at runtime.
  • All applications should be developed to maintain the confidentiality of the application/code.
  • The software that is used to enable mobile wallets/payment apps (e.g., Host Card Emulation software) should be protected with secure crypto and app hardening.
  • Organizations should consider mobile app assessmentsto assess if existing apps are exposed to risks that are unique to mobile environments. Also, as part of the mobile app development lifecycle, organizations should conduct Penetration Tests that, among other things, should assess vulnerability to reverse engineering and tampering that can result from unprotected binary code.

Our report and the accompanying infographic included key recommendations to improve the security of mobile applications.

Read our report and view our infographic here.

Read the press release here.

Preventing Reverse-Engineering of Applications with Runtime App Self Protection: Arxan’s Enhanced Mobile RASP Capabilities

With the growing number of data breaches and security and privacy risks, the need to implement secure solutions is becoming more diverse and immediate. In addition to traditional firmware or machine-to-machine security approaches, the application layer also requires protection from hacker threats.

As such, our enhanced Runtime App Self Protection (RASP) capabilities announced today provide runtime tamper detection capabilities for Java applications and add protection features into the application runtime environment to give applications another level of protection from malicious attacks.

These RASP capabilities, as part of our application protection technology, address today’s sophisticated attacks with security measures that:

  • Accurately identify and block attacks, given visibility into an application’s logic and data flow
  • Check to ensure that the application is running in a safe environment (e.g., detecting if an app is running on a jailbroken device or if a debugger is running, that could enable attackers to examine a program while it is running)
  • Detect malicious activity from other running apps via Swizzling or Hooking
  • Respond to runtime attacks with customizable actions, which may include:
    • Replacing tampered code with the original code during runtime
    • Exiting the application safely when a runtime attack is detected
    • Alerting monitoring systems that an attack has happened

Accordingly, in Gartner application security analyst Joseph Feiman’s recent Maverick report, he advises that CISO’s should “make application self-protection a new investment priority, ahead of perimeter and infrastructure protection. Perimeter protection technologies cannot protect what ceases to exist — the perimeter, which dissipates in the mobile, consumer-oriented and cloud-oriented world.”

To learn more about Arxan’s innovative approach to RASP, please email

Arxan shortlisted for Appsters Award

Arxan has been shortlisted in the upcoming Appsters Awards under the category, Best App Technology! The awards will take place in London on November 12.

The Appsters Awards are a must-attend for the who’s who in the world of apps. The award winners are decided by a judging panel of independent experts, delivering plaudits to worthy winners across key categories.

Our mobile application protection technology protects from revenue loss, fraud, unauthorised data access, or brand loss from reverse engineering, code tampering or inserting malware into an application. This integral protection enables app owners to distribute core assets with confidence by incorporating self-defence and tamper-resistant attributes via proprietary controls into the app.

According to ABI Research the mobile application security market grew to $389 million by the end of 2012, the need for protection and security within mobile applications is of high importance. Our unique app hardening capability ensures the integrity of critical business or security logic contained in the mobile endpoint is protected from attacks that can result in severe financial and reputational damages.

Fingers crossed the judges are impressed with the pioneering mobile application protection technology that we have to offer. Keep your eyes peeled for further announcements nearer the time of the awards on November 12.

Don’t forget to come and visit us at stand 322 at Apps World between 12 -13 November at ExCel Centre, London. Also, be sure to join us at our panel session at the event “New technologies in mobile banking & financial services and their impact on the customer experience”, taking place on November 12 at 4:30pm GMT.

To find out more information about the event, please visit

Protecting Brand and Intellectual Property from Hacking Attacks: Arxan’s Integrated Solution in Xamarin Evolve Panel and Workshop

With the ever-increasing threats and data breaches, mobile app protection is quickly becoming the defining attribute for high-value mobile apps.

An efficient approach to layer incremental security is critical now more than ever during the build process and before deployment.

Arxan’s integrated and enhanced solution announced today ensures seamless interoperability for enhanced application protection with Xamarin-based mobile apps – which will be further discussed at Xamarin’s own conference, Xamarin Evolve, in a panel and workshop with Arxan.

The panel, taking place on Wednesday, October 8, from 2:30pm – 4:00pm ET, will center on how to best secure your sensitive data in the app, on the device, and over the wire – with insights from Arxan VP of Product Management Vince Arneja and moderator & Xamarin Director of Enterprise Mobility Steve Hall, as well as fellow panelists and representatives from Airwatch, Good Technology, and Mobile Iron.

Also taking place at Xamarin Evolve is the workshop, Think Like a Hacker! Common Techniques Used to Exploit Mobile Apps and How to Mitigate these Risks, led by Arxan engineer Darren Cathey on Thursday, October 9, from 11:15am – 12:00pm ET. During this session, attendees will learn just how easy it is for hackers to leverage widely available third party tools to completely disable and compromise mobile apps.

To meet with Vince and/or Darren at the event, please stop by our booth (#4) or email

Revolutionizing Security for mCommerce: Arxan’s Software-Based Approach in Upcoming Webinar and Industry Panel

As mCommerce is driving up mobile payment transactions around the world, cybercriminals are closely following with new exploits increasingly being launched as a means to commit mobile transaction fraud.

As such, a proven mCommerce security approach is in great demand, in order to combat top mobile app payment risks and emerging threats that impact mobile financial transactions.

Arxan’s innovative approach to secure mCommerce announced today, serves as a point of discussion in the webinar, “Revolutionary Security for HCE Mobile Payments.”

The webinar being held tomorrow (Tuesday, September 30) from 11:00 AM – 11:30 AM EDT will present this newly announced approach, as well as beliefs on how software-based security has revolutionized the mobile payment industry. Host Winston Bond (Arxan’s Security Solutions Architect) will delve into the value from adopting this approach, with payment providers and ecosystem stakeholders being able to fully leverage the mobile computing platform.

For registration details, please visit:

Also, Arxan’s VP of Product Management, Vince Arneja, will be providing more information on the software-based security approach at the Mobile Payments Conference, as a speaker on the industry panel, “Keeping Mobile Commerce Secure,” on Oct. 7th at 4:15 pm.

Arneja will discuss the exposures and risks among mCommerce ecosystem’s critical industry stakeholders and will address the role of key security approaches needed for strong defense.

If you’d like to schedule a meeting at the show with Vince to discuss Arxan’s comprehensive software-based security, please email us at

We hope to see you at the webinar and conference!

Think like a Hacker! Featured events at AppSec USA hosted by Arxan

AppSecUSA logo

The first step in learning how to protect and defend your applications from Hackers is to think like one….

Arxan’s security experts will be hosting a few exciting and exclusive events during AppSec USA in Denver, CO on September 18 & 19.  Highlights below:

workshopMobile App Hacking Workshop 

We’ll be hosting the first-ever hands-on, interactive Mobile App Hacking Workshop during the OWASP AppSec USA 2014 Project Summit.

The inaugural workshop will be led by security experts and will uniquely enable attendees to immediately apply their app protection learning’s in their own environments in order to mitigate app binary risk and implement new approaches on mobile app security.

Dates/Times:  September 18 , 1:00PM – 3:30PM  & September 19,  9:00AM – 11:30AM

Attendees:  This complimentary and specialized workshop is intended for mobile app developers and security experts to gain first-hand knowledge / experience of reverse engineering hacking techniques on iDevices using widely available third party tools. These tools are used to completely disable and compromise mobile app binaries to gain unauthorized access to source code, then tamper with the app to enable unauthorized access, advanced malware attacks, steal sensitive data or intellectual property, conduct fraud and other illicit activities.  Attendees will:

  • Learn about the evolutions in the mobile threat landscape
  • Learn how hackers use third party tools to compromise app integrity via reverse-engineering and tampering attacks (e.g. Clutch, IDA, Hex-Rays, otool, classdump, Theos, gds/nm/strings debuggers, etc.).
  • Explore findings from mobile banking red-team testing projects at several top global banks
  • Customized workstation and jail broken devices are included in the workshop as well as a sample mobile banking app

Limited Seating and Pre-qualification:  Workshop seats are limited to 10 per day and will last up to 2.5 hours. To fully engage in the workshop, interested participants need to have advanced app development and computer engineering skills.  Due to the severely limited size, participants will receive confirmation upon completion of pre-qualification questions from the following survey.


“How to Hack an App”  Demo Series at Arxan Booth G1

These demos will showcase the nefarious tools and methods that hackers use to identify targets within an app and intrude on it’s critical code.  Stop by to see for yourself how mobile apps are being attacked using these common techniques to exploit applications!

Dates: September 18 & 19


11:00 AM  See How Your Binary Exposes Your Source Code

3:00 PM  Binary Modification for n00bs (newbies)

4:00 PM  Breaking iTunes Code Encryption


Free Mobile Application Assessment

We’ll also be offering a free Mobile App Assessment where Arxan’s mobile app security experts assess your mobile app for exposures to key risks. Not attending? Request the Mobile Application Assessment here.

If you’d like to schedule a meeting at the show to discuss Arxan’s application protection solutions, please email us at

We hope to see you at the event!

Arxan Presents ‘Revolutionizing Mobile Payments’ at the UL Innovation Seminar


Arxan is thrilled to announce our participation in the upcoming UL Innovation Seminar, focusing on hardware vs. software-based security solutions. See below for details on our session:

Session Title:  Revolutionizing Mobile Payments; Without the Complications of Hardware

Speaker: Jonathan Carter, Technical Director, Arxan

Date: Friday, September 5, 2014

Time:  1:30pm-2:00pm

Location: Hyatt Regency San Francisco, Airport

Description: Innovation in mobile computing is now going beyond hardware attributes to deliver new features, services and most significantly, the required security for new business models. During this presentation, Jonathan Carter will share his belief on how innovations in software-based security have revolutionized the mobile payment industry.  Baring the shackles of fragmented hardware ecosystems, these innovative software security techniques provide a new trusted secure element.  The value from adopting this approach enables providers to fully leverage the mobile computing platform and confidently deploy new financial services to finally achieve widespread distribution and adoption.   The success that other industries have already realized in terms of customer growth, scalability and confidence in security will also be shared.

We cordially invite you to attend the seminar and join our session! Register here, space is limited.

We look forward to meeting you at the event!  Email us at if you’d like to set up a meeting with us.