June 9th, 2021 | By Jscrambler | 5 min read
Leading Neobanks like Revolut, Nubank, and Starling Bank keep challenging the banking industry and setting new standards. However, these Neobanks have challenges to address, specifically application security.
Note: We have anonymized all company and personal names.
Neobanking Model: From Innovation to Satisfaction
Neobanks defy traditional banking by betting everything on digital and delivering customer-centric services for payments and money management.
73% of consumer interactions with banks are done digitally.
While traditional banks have invested in Web and mobile platforms, Neobanks release twice as many new features and three times more app updates per year.
They also run 42% faster than incumbents. As a result, user satisfaction ratings for Neobanks in the US (90%) are much higher than those of traditional banks (66%).
This allows for cutting product development costs and time, paving the way for rapid iteration and innovation, aided by relying on third-party integrations instead of developing all pieces of code in-house. However, this approach raises additional concerns about application security.
Faster Development, Larger Attack Surface
In software development, pursuing agility and speed often means widening security gaps.
Jscrambler and Neobanks: Managing Application Security
Over the last few years, Neobanks, mainly from North and South America, have come to Jscrambler with significant security challenges.
There was a high likelihood of having to run sensitive logic on the client-side. Therefore, it became paramount to guarantee that this logic would be concealed with the most potent and resilient technology available today.
Therefore, it was mandatory to ensure that automated reverse-engineering tools would always fail to reverse the concealed code, as it would be unfeasible for attackers to achieve it manually. This goes hand in hand with the security recommendations from the OWASP Mobile Application Security Verification Standard (MASVS).
"We’re called “challenger banks” for a reason; one of our toughest challenges is still gaining customer trust. When handling their data, we can’t just meet the minimum requirements; we must excel at it and keep data safe at all costs."
With this security layer, all of the source code of the Neobanks’ apps was concealed beyond possible recognition.
Jscrambler’s set of the most potent and resilient transformations guaranteed cutting-edge obfuscation.
Its inherent polymorphism ensured that each new code deployment would be completely different, making it an extra line of defense against reverse engineering attempts.
"The concealed code looks like absolute nonsense and passed all of our tests. Being able to pick from dozens of well-documented transformations and fine-tune each one was very important."
Following obfuscation, these Neobanks leveraged an additional Jscrambler security layer to meet the challenges of preventing application tampering and client-side data exfiltration: self-defending.
With this runtime protection, their apps gained a series of integrity checks that detect every debugging attempt and break the app whenever tampering occurs.
Taking advantage of other client-side countermeasures, such as calling a custom function, has enabled these Neobanks to stop malicious users.
Neobanks’ Security Engineers were well aware of the problem and the required steps for solving it.
After the initial setup of their Jscrambler instance, it took on average 1 week and 2 meetings with Jscrambler’s Engineers to integrate Jscrambler seamlessly into their CI/CD pipeline. From there, Jscrambler became an automated part of their application build process.
5 Web and Mobile applications were secured in one week
"Today, not a single product ships without secure client-side logic, and this has been extremely effective."
In parallel, security teams were able to fulfill several security recommendations by OWASP, namely the OWASP Mobile Top 10, which states that “To prevent effective reverse engineering, you must use an obfuscation tool” and “The app must be able to react appropriately at runtime to a code integrity violation.”.
To management, ensuring that their applications’ source code was protected against reverse engineering and tampering meant a new competitive advantage.
With Jscrambler, Neobanks gained the upper hand in future funding rounds.
To maintain their edge in the banking race, Neobanks need to maintain the integrity and security of their applications.
To do it, they need enterprise-grade solutions that offer them the flexibility and ease of implementation they need to continue innovating.
Must read next
Online Banking and Financial Services: Is Enough Being Done to Protect the End-User?
Working in online banking and financial services? Check what you should address to protect your users according to Information Age.
August 16, 2017 | By Jscrambler | 5 min read
Regulations in Digital Banking: White Paper for Banks Compliance
Our white paper about banks compliance in the digital landscape explores how firms can increase compliance with regulations like PSD2, 23 NYCRR 500, GLBA, and GDPR for improved data privacy.
May 19, 2020 | By Jscrambler | 2 min read