Mobile banking apps now represent the front line of financial security as cyber criminals replace the likes of Bonnie Parker and Clyde Barrow.

Faye Dunaway and Warren Beatty in Bonnie & Clyde
Faye Dunaway and Warren Beatty seen here in a scene from Bonnie & Clyde are no longer representative of the biggest threat to banks.

Bank robberies and those who committed them used to make great material for the silver screen. From Warren Beatty and Faye Dunaway in Bonnie & Clyde to Al Pacino and John Cazale in Dog Day Afternoon right up to Robert de Niro and Val Kilmer in Heat, Hollywood has long been in love with the romantic notion of the bank robber.

Guns, gals and glamour have been hallmarks of these films with the ingenious ways the criminals come up with to steal the money being one of the most fascinating aspects of the films. The action in these films often reflected real-life crime, but that rich seam of material could soon be coming to an end.

As the revelation this week of a $45 million global cyber bank raid has shown, criminals who physically break into bank vaults or hold bank staff hostage are a dying breed, with the most potent weapon in a criminal's arsenal now being a computer and an internet connection.

The one thing which hasn't changed is where criminals will attack. They will follow the money and they will attack at where security is at its weakest. In the case of the ATM heist it was credit card processing companies but for a growing number of cyber criminals it is the apps we use every single day to check our bank balance, pay bills and transfer money.

Every major bank today has a mobile banking app allowing its customers access to their money on the go. Many are simply ported versions of the web-banking interface, but all offer the same functionality as you would get through your desktop PC.

Not all is well

And for the most part they work and more importantly they feel safe and secure. The app is "official", it forces you to enter all the identification you would through the browser, and the little padlock icon reassures you that all is well with the world.

The problem is - all is not well.

A recent survey suggests that of 30 of today's leading mobile banking apps, two-thirds of them are being deployed unprotected against reverse-engineering and tampering attacks.

It means cyber criminals can use any one of a range of freely available and easy-to-use tools to see how the app has been built, look for any vulnerabilities and exploit them. Even apps which have no vulnerabilities and have been coded perfectly are at risk, according to Arxan, a company which specialises in protecting such apps from attack.

Mark Noctor, Director of Sales EMEA at Arxan, which carried out the survey says this issue is not widely known:

"We have some [UK] customers who are aware of the problem but I don't think it's a widely understood problem. I mean it is for us obviously because we come from a defence background where we [are used to] protecting defence software in untrusted environments."

Particularly vulnerable

The process of reverse engineering an app is pretty simple. Once the criminals get hold of the app, simply by downloading it from an app store such as Apple's App Store of Google's Play Store, it can be reverse-engineered to its high-level source code in a process call decompilation.

This can be done using freely available tools, with Android apps being particularly vulnerable. However if you use an iPhone or iPad, then the threat is no less real. Cyber criminals can use a jailbroken iPhone to download the app and circumvent the protection provided by Apple's more-secure app environment.

Once the criminals have the source code, it is a relatively straightforward process to identify its critical data and use that to target customers.

Noctor says customers in the financial sector are slowly waking up to what a potential threat this is:

"Our banking customers are tracking [this problem] as something they are really worried about. What they are concerned about is somebody takes their app apart, rebuilds it, puts a piece of malware in the application and [it] sits there quietly and captures a PIN number. And then, while your phone is downstairs in the kitchen at night switched on, it is sitting there merrily firing money to somewhere else in an untraceable fashion."


Noctor says it is not necessarily the money itself which banks are worried about losing, as they have insurance to protect against that, it is losing the trust of their customers which is the biggest worry.

Arxan's technology is also used by the entertainment industry including major Hollywood studios to help protect their content from piracy and Noctor says they are at least 18 months ahead of the financial industry

One of the main reasons is that studios and production companies in Hollywood have an industry organisation, called Hollywood Studios, telling them "you will do this" and enforcing industry standards. There is however no such organisation for the financial sector and therein lies one of the main problems.

"The good news is that leaders in the financial services industry, including a couple of marquee name banks are now using our technology to secure mobile banking applications," Noctor said.

One customer in the UK, who Noctor would not name but said was a financial institution, has seen the light and is looking to lock down all its applications - both public facing and internal - "as hard as possible."

Dangerous and deranged

But it is not only the banking industry which needs to protect their apps from being reverse engineered. Large enterprises who allow employees access to corporate networks through apps are also in the firing line. If these apps are not "hardened" then criminals looking to get access to highly-valuable and sensitive intellectual property can easily see how the app works, and potentially capture login details of those using the apps.

It may not have the cinematic impact of Jimmy Cagney's deranged and dangerous Cody Jarrett shouting "Made it Ma! Top of the world" as everything around him explodes at the finale of White Heat, but the cyber-criminal facing a bank of screens watching as thousands of smartphones transfer money silently and efficiently into his account, could be a much more dangerous problem.