Airzero Sec

We Do Not Give Up ! Trust US !

Home » Archive for: March 2020

Security in Mobile Payment

- Posted in Mobile App Security by

The term ‘mobile payments’ refers simply to all payments that are made using your mobile device. Do you find it convenient to shop and bank online using mobile payment apps? Most would have ‘yes’ as an answer. But, are we letting ‘convenience’ overshadow ‘security’? An attacker can easily get hold of your personal and banking information if the app or the mobile site you are using is compromised. The chances of this happening significantly increases if your mobile device itself is infected. Mobile payments include the use of mobile wallets and mobile money transfers. There are two types of mobile payments: online or in-app purchases, and using a POS terminal in a bricks-and-mortar store. Here are some of the biggest mobile payment security risks, and steps you can take to protect yourself.

Losing your phone is like losing your credit card

Your smartphone is a small, slippery object that provides a huge window into your personal life. It contains the names and contact information of every key acquaintance in your life, your personal photo collection and social media apps. It also can provide access to credit and bank accounts via a mobile wallet and payment apps.

Most smartphones contain built-in protections that can prevent a phone thief from using your mobile wallet to rack up fraudulent charges. The best way to keep a thief out of your phone is to require two-factor authentication to unlock it – ideally, a PIN combined with a biometric method such as your fingerprint, facial recognition or an iris scan.

Weak Passwords

Being hacked due to weak passwords, or overused passwords, is one of the oldest forms of hacking. Even the strongest form of password hashing encryption, used by corporate security firms, can fail when it comes to cyber criminals decryption tools.

It may sound obvious, but don’t use the same password for everything, and try and change them once a month. Look into using a passwords manager such as LastPass. These online password resources will generate strong passwords using a combination of numbers, letters and special characters, and store them all in an encrypted vault.

Cyberthieves can ‘spoof’ your mobile wallet

When you add a credit or debit card to your mobile wallet, the card number is stored securely via encryption, which disguises it with a code created by an algorithm. Additionally, the major mobile wallet providers use randomly generated payment tokens to ensure your card information is not seen by merchants or even the wallet providers when you make purchases.

Load your cards into your mobile wallet while at home, using your own password-protected Wi-Fi network. If you need to manage your mobile wallet while away from your home, consider setting up a personal virtual private network (VPN) for your phone.

Using Public Wifi

Some of the most popular ways hackers can compromise public wifi are by creating fake connections and sidejacking. Fake connections are created by setting up an access point (AP), which can be done using any form of device with internet access, with the same name as a legitimate connection. Hackers then intercept any data in transit, such as a bank transfer or online payment.

Using a VPN, Virtual Private Network is one of the most secure forms of protection against hacking. A VPN establishes a level of encryption between your device and the website you’re browsing, so any data transmitted is unreadable without the a unique decryption key. Be careful when choosing a VPN, as even these can be compromised or faked.

Your phone can become infected with malware

Cyber criminals use malware to remotely commandeer computers, smartphones and other devices or steal users’ passwords and other private information. Malware infection typically results from an unwitting user clicking on a sketchy ad or a phony link sent by a malicious third party. Computers are generally more vulnerable than cellphones, but mobile malware is a growing threat.

A bank or card issuer can employ security features on its own payment or banking app, but it can’t control the security features of third-party browsers where many customers manage their online accounts.

Nevertheless, avoid clicking on links included in suspicious ads, email or text messages from unfamiliar sources. And Clyde recommends installing anti-virus software on your phone as an extra safeguard.

Human Error

Human error or carelessness has been cited as the number one contributor to security breaches. Hackers rely on human error when planning some form of cyber attack as they count on user to click on insecure links, open emails containing security threats and accidentally downloading malware.

When it comes to protecting yourself against phishing, malware, and identity fraud, it almost always comes down to using common sense. As mentioned above, don’t click on any links in emails from unknown senders or sources, be vigilant with your passwords and how you store them. If you want to start using a mobile wallet, load your cards into your phone at home using your own private wifi. As this is password protected it is much safer than doing this at work or in public.

So, to help you avoid such a disaster, here are 9 safety steps for making secure mobile payments.

  1. Download mobile payment apps only from official stores such as Google Play and Apple Store.

  2. Before you download any app, verify the publisher. The ‘Top Developer’ badge (in Google Play) is usually a good sign that the app is safe. Read its user reviews and just Google “Is (app name) safe?”.

  3. Carefully read the permissions that the app asks for. If you think a mobile payment app is asking for more than what is required, do not install it. If you have any doubts regarding the permissions, just contact the app’s manufacturer via their Twitter handle.

  4. Never visit an online banking or shopping website by clicking on a link received in an email or text message.

  5. Always choose a strong password for accounts for net banking or online payment apps. It should be a mix of uppercase and lowercase letters and special characters.

  6. Do not use unsecured, public Wi-Fi networks for onling banking or shopping. Doing so may let an attacker steal your information.

  7. Only use established and well-known websites to for online shopping and paying for utilities.

  8. Ensure your banking transactions are OTP (one time password) enabled. While paying a purchase through net banking, debit/credit card, you will enter your login ID and password (or card details) and also an OTP (code sent to your registered mobile number) before you can make the final payment. So, even if an attacker manages to steal your net banking/card details, payment won’t go through without the OTP.

  9. Install a mobile security app that is built with multiple layers of security. The Quick Heal Total Security App comes with SafePe besides other advanced features. SafePe is especially designed to secure your financial information when you use mobile payment apps for online shopping, banking, paying bills, etc.

Conclusion

Mobile payment security concerns are still at large amongst businesses and consumers alike. However, with the correct education and proper training, mobile payments could see a dramatic current and future growth opportunities. Retailers could finally, collectively, see the huge benefits of going cardless, cashless and paperless, if only to reduce queues at the counter.

How to Secure an Android App

- Posted in Mobile App Security by

Android is a Linux platform programmed with Java and enhanced with its own security mechanisms tuned for a mobile environment. As a developer writing for Android, you will need to consider how you will keep users safe as well as how to deal with constrained memory, processing and battery power. You must protect any data users input into their device with your application, and not allow malware to access the application’s special permissions. How you achieve this is partly related to which features of the platform you use.

Android Permissions Review

Applications need approval to do things their owner might object to, like sending SMS messages, using the camera or accessing the owner’s contact database. Android uses manifest permissions to track what the user allows applications to do. An application’s permission needs are expressed in its AndroidManifest.xml and the user agrees to them upon install.

Encrypt Data on External Storage

The internal storage capacity of an Android device is often limited. Therefore, at times, you might have no choice but to store sensitive data on external storage media, such as a removable SD card.

Because data on external storage media can be directly accessed by both users and other apps on the device, it is important that you store it in an encrypted format. One of the most popular encryption algorithms used by developers today is AES, short for Advanced Encryption Standard, with a key size of 256 bits.

Writing code to encrypt and decrypt your app's data using the javax.crypto package, which is included in the Android SDK, can be confusing. Therefore, most developers prefer using third party libraries, such as Facebook's Conceal library, which are usually much easier to work with.

Use Intents for IPC

Experienced programmers who are new to Android application development often try to use sockets, named pipes, or shared files to asynchronously communicate with other apps installed on an Android device. These approaches are not only hard and inelegant, but also prone to threats. An easier and more secure approach to interprocess communication on the Android operating system is to use intents.

To send data to a specific component of an app, you must create a new instance of the Intent class and use its setComponent() method to specify both the package name of the app and the name of the component. You can then add data to it using the putExtra() method.

Use HTTPS

All communications between your app and your servers must be over an HTTPS connection, preferably using the HttpsURLConnection class. If you think using HTTP for data that is not confidential is fine, think again.

Many Android users connect to several open Wi-Fi hotspots in public areas every day. Some of those hotspots could be malicious. A malicious hotspot can easily alter the contents of HTTP traffic to make your app behave in an unexpected manner, or worse still, inject ads or exploits into it.

Use GCM Instead of SMS

ack when GCM, short for Google Cloud Messaging, didn't exist, many developers were using SMS to push data from their servers to their apps. Today, this practice is largely gone.

If you are one of those developers who still hasn't made the switch from SMS to GCM, you must know that the SMS protocol is neither encrypted nor safe against spoofing attacks. What's more, an SMS can be read by any app on the user's device that has the READ_SMS permission.

GCM is a lot more secure and is the preferred way to push messages to an app because all GCM communications are encrypted. They are authenticated using regularly refreshed registration tokens on the client side and a unique API key on the server side.

Use ProGuard Before Publishing

Security measures built into an Android app can be severely compromised if attackers are able to get their hands on the source code. Before you publish your app, it is recommended to make use of a tool called ProGuard, which is included in the Android SDK, to obfuscate and minify source code.

Android Studio automatically includes ProGuard in the build process if the buildType is set to release. The default ProGuard configuration available in the Android SDK's proguard-android.txt file is sufficient for most apps. If you want to add custom rules to the configuration, you can do so inside a file named proguard-rules.pro, which is a part of every Android Studio project.

Conclusion

Android applications have their own identity enforced by the system. If you use one of these mechanisms you need to be sure you are talking to the right entity — you can usually validate it by knowing the permission associated with the right you are exercising. If you are exposing your application for programmatic access by others, make sure you enforce permissions so that unauthorized applications can’t get the user’s private data or abuse your program. Make your applications security as simple and clear as possible.