Application Security in Banking

The banking and financial services industries must be concerned with the application security associated with JavaScript code in banking applications.

Secure applications mitigate risks and minimize vulnerabilities as they are secured against digital fraud and data leakage but also enhance compliance with industry regulations, standards, and laws.

In recent years, we have seen the technologies used for creating web products develop rapidly, and JavaScript has become the predominant language of the Web. It is part of 97% of modern websites, and every single Fortune 500 company is using it.

Client-side JavaScript: Security Considerations

JavaScript is an interpreted language, meaning client-side JavaScript requires an interpreter in the browser to read, digest, and run it. This also means everybody can use a browser debugger to go through the JS code and read or modify it.

With such easy access to client-side JavaScript code, it’s almost effortless for an attacker to use this security weakness and target any unprotected code.

Since virtually every company uses JavaScript to develop their apps, they must consider the underlying security risks posed to their applications, especially the ones that handle sensitive user data, such as mobile banking, e-commerce, and streaming services.

The Rise of Mobile Apps in Banking

In the case of banking, we have seen the industry continuously shift towards a digital-centric approach. Nowadays, you can perform any financial operation through a mobile or web app without any hassle while having a great user experience.

Despite all the benefits of this digital transformation, which has stimulated a highly competitive banking industry, there are some security considerations to highlight.

For instance, the emphasis on development speed often makes companies see security as an afterthought rather than a priority. And in the case of the financial industry, this is especially concerning since a large volume of sensitive data is put at risk.

Consequences of Unprotected Source Code in Banking Applications

If left unprotected, due to the nature of the data they handle, banking apps are susceptible to data leakage and fraud attempts.

Attackers can leverage web supply chain attacks, relying on the lack of visibility companies have over their third-party code, to inject malicious code into their websites and tamper with transactions and personal data.

In turn, those attacks also result in a breach of compliance with regulations and standards, such as PCI DSS and GDPR, which ends up bringing in heavy fines for organizations.

Given the high degree of exposure of sensitive data in these applications, it’s no surprise to see security standards such as PCI DSS now requiring compliant companies to keep an updated inventory of all of their website’s scripts and monitor in real-time for the addition of any malicious code, such as payment card skimming code.

To help achieve this compliance faster, especially with the PCI DSS v4.0, Jscrambler launched a free tool tailored for the new PCI anti-skimming requirements.

The State of Application Security in Banking Applications

The vast majority of banking institutions have gone through a stage of digital transformation.

Have these institutions given enough attention to the client-side security of their web and mobile applications?

Jscrambler's research team has looked deeper into some regions around the globe to see what the state of application security in banking looks like. The results show some interesting patterns.

63% of banking apps in the LatAm region don't use obfuscation techniques

In the LatAm region, we had previously found that around 63% of banking applications don’t use obfuscation techniques in their code. The same is true for Brazilian banking apps, 65% of which leave their code unprotected.

This means that the majority of banking apps in these regions are vulnerable to various client-side attacks, as outlined in standards like ISO 27001, OWASP, and NIST.

“Program source code can be vulnerable to attack if not adequately protected and can provide an attacker with a good means to compromise systems in an often covert manner.”.

ISO 27001 Standard

Now, the Jscrambler research team has delved into the UK banking industry, seeking to understand if banking apps in this region are equally lagging in security. You can get first-hand access to these insights by reading the free report regarding the state of application security in UK banking.

Protecting Banking Applications and Keeping User Data Secure

To protect banking apps from attacks, organizations must adopt application shielding and third-party management techniques.

This includes protecting the client-side source code through a multi-layered approach (obfuscation, environment checks, and runtime protection) while gaining visibility of all third-party code running on the banking website.

Both of these dimensions are essential to ensuring secure data management practices and the mitigation of client-side threats in real-time before they even become a problem.

To learn more on the subject of application security in banking apps, please refer to the following resource:

• Webinar: State of Application Security of Banking apps in the UK (English)
  

Lastly, if you want to start securing your JavaScript code, try Jscrambler for free.