The complex relationship between cyber security and UX – Interview with Promon

security in banking

Welcome to our blog post, where we present an insightful interview on the supposed clash between cyber security and user experience (UX).

 

In this discussion, I, Michel Sorbet, represent Finanteq. We are a Polish software and consulting company with an exclusive focus on mobile finance. Joining me is Jan Vidar Krey, the Head of Development at Promon, a Scandinavian company that provides app security software.

Get ready for an exciting read filled with valuable insights from industry experts.

Michel Sorbet: To provide a background to our readers: our two companies have been cooperating already for some time. And when we look back at the reasons why such cooperation even started, this would be the willingness to provide not only the best and most innovative mobile solutions for banking but also providing the highest level of security, both from the bank’s perspective as well as from the end user’s point of view.

And so this shared aim brought us together, and this is also the reason why we are meeting and talking today. We would like to raise an interesting subject, which will be the supposed clash and opposition between user experience, how a user interacts with and experiences mobile banking application and cyber security.

Security is often perceived as a hindrance. Therefore, the trick is not only to protect the customer by using different types of solutions but to do so that it doesn’t affect customer satisfaction.

Looking from the bank’s perspective, security is very often the break on change. But should it be perceived in such a way, in your opinion?

Jan Vidar Krey: That’s a good question. I think there are numerous perspectives when it comes to security and finding a trade-off between having good security and ensuring a seamless user experience. UX can cover various aspects, such as navigating through multiple steps to accomplish a task, incorporating additional security mechanisms, or even potentially experiencing performance degradation. However, I believe that viewing it as a binary choice, where one must sacrifice one for the other, is not entirely accurate.

In reality, it is possible to enhance security while simultaneously improving the user experience to a certain extent, depending on the specific objectives of the project. It requires careful design and consideration in finding the right balance between these two aspects.

MS: OK. So the perceived clash between both is only illusionary. In fact, both cyber security and user experience are crucial elements in designing any mobile application. This is also something that end-users desire. They want to use secure applications without any fear. They seek simplicity, an appealing interface, and, most importantly, trust. Simplicity is important, as well as the overall appearance, but trust is equally vital for clients.

JV: Absolutely. I think it’s worth adding a bit more flavour to it. Around 15 years ago, when you wanted to access your bank online, the recommendation was to ensure you had antivirus software installed on your computer. This was because, without it, there was a risk of various security issues. Additionally, you might have needed an external hardware token for authentication or relied on SMS codes on your phone. These extra steps improved security but came at the expense of usability and user experience.

However, today, we can develop applications that integrate these security measures seamlessly within the app itself. This means users don’t have to go through those manual steps, resulting in a much-improved overall experience while maintaining a high level of security.

MS: That’s 100% true. You’ve touched also on an interesting point regarding the evolution of technology and the various approaches to security and authentication in mobile banking systems. Technology progresses rapidly, and new methods for authentication and securing mobile apps are constantly being developed. While these advancements facilitate user convenience, they also introduce new avenues for potential attacks.

The continuous development of technology not only offers potential benefits but also poses threats. Cybercriminals are always on the lookout for security vulnerabilities and exploit various entry points to target users. It becomes crucial, therefore, to stay updated in the cyber security race and strike a balance between user experience and cyber security.

Speaking of the current state of this technological race, are we witnessing a rise in attacks against mobile apps, or are the rates relatively constant?

JV: I would say that it is indeed on the rise. However, it’s not as severe as in certain other similar areas. When we look at the historical context, there have always been risks associated with mobile applications. Nowadays, with the increased functionality and capabilities of these apps, having a compromised banking or payment application can expose users to various risks. It can also result in reputational damage and other types of risks for companies, especially banks.

While mobile devices are relatively secure by default, they are still attractive targets for attackers. Although there are some types of malware that can be encountered, there are also more targeted attacks, such as attempts to modify applications. This highlights an interesting approach that attackers take to gain unauthorized access to sensitive data.

Overall, it’s crucial to remain vigilant and proactive in addressing these evolving threats and securing user data.

MS: A few years back, when looking at the banking systems, almost all attacks related to technological attacks targeted web systems. They weren’t targeting mobile banking apps because they were inexistent or rare. But nowadays, the number of transactions and people using mobile apps is significantly higher than a few years ago. So, this starts, or is already, a very important part of the banking sector, and each bank should be extremely engaged in providing solutions not only for the web but also for mobile.

So how is it from your point of view? Is nowadays the mobile danger bigger than the web danger, or is it still at the same level?

JV: No, I believe web-based dangers are probably a greater concern. When you run an application inside a browser, whether it’s on a desktop computer or a mobile device, the complexity increases significantly. There are numerous attack vectors that can be exploited in web applications. However, mobile applications are typically more locked down and operate within a sandbox environment, which helps prevent many of these concerns from arising in the first place.

MS: 
Okay, but mobile applications continue to be extremely popular nowadays and will likely remain so in the future. It’s essential for users to ensure the security of their devices, not only from the perspective of banks but also from the standpoint of clients. However, it’s not enough for banks to simply provide a banking application and shift the responsibility of device security entirely onto the client.

That’s why banks must take steps to ensure that their applications are well protected. This is where Promon comes in, providing additional layers of protection. So, how exactly does Promon work? It’s a fundamental question that we can delve into at this point.

JV: What we can do is implement an additional layer of sandboxing around your application process. This means that we carefully verify every action the application is intended to perform and ensure that it remains within those boundaries. By doing so, we prevent any unauthorized tampering or manipulation of your application. In essence, that’s what we do. Of course, there are various methods and considerations involved in achieving this level of protection, but that’s the short answer.

MS: There’s the short answer, but it doesn’t explain everything, because the main topic which we are discussing today is the way how security interacts with user experience.

While we can develop highly complex and secure methods to protect our mobile applications, the crucial aspect is to implement this protection in a way that doesn’t become a hindrance or becomes uncomfortable when using the application. This raises the question: How does Promon work? We know it’s secure, but is it also user-friendly?

JV: From my point of view, our goal is to add an additional layer of protection to the application without changing the way it is working in the first place.

We aim to be completely invisible to the end user, ensuring there is no noticeable difference in behaviour whether the application is protected with our shield technology or not.

There is a slight performance delay of a few hundred milliseconds during the initial launch of the application, but apart from that, there is no measurable or noticeable impact from the user’s point of view. That’s the main takeaway.

Of course, in certain cases where a device is compromised, such as a jailbroken device with malware installed, our technology will block the application and prevent its usage. However, this is not something that occurs accidentally. It only happens on devices that have been intentionally modified in a way that our technology recognizes as insecure. Regular users would not encounter this situation.

MS: In fact, during the normal usage of the mobile application, with Promon running in the background, the user won’t even notice its presence as it works to protect them.

JV: Correct.

MS: OK, you mentioned jailbreak and malware, so we already know that Promon operates discreetly in the background without the user noticing any impact on the way how their device works. But what exactly does Promon protect against? Are there other dangerous forms of attacks that it safeguards against in addition to jailbreak?

JV: So, I think Jailbreaks, or what we typically call them on iOS or rooting on Android devices, are methods to achieve similar outcomes. It’s not really an attack on the application itself but more about circumventing the natural sandboxing on the device.

By default, applications are sandboxed to prevent other applications from modifying or interacting with them in certain ways. However, if your device is jailbroken or rooted, that guarantee no longer applies. Although it doesn’t directly pose a security threat to the application, it often indicates potential risks.

There might be other associated risks with jailbreaking or rooting. Being able to determine if a device is jailbroken or rooted is definitely a risk because it opens up the possibility of tampering with various resources of the application. The actual risk arises when someone actively interacts with the application and modifies its integrity.

Detecting compromised sandboxes or real-time tampering is essential. We can identify situations where the sandbox is compromised and when someone is actively tampering with the application. This is a threat that should be taken seriously. Hooking frameworks can accomplish this, either on a jailbroken device or by directly modifying the application. By changing the application’s logic while it’s running, I can compare it to playing a harmless prank like altering a contact list. However, if the application is altered to redirect payments to someone else, it becomes a serious threat.

Access to the process allows attackers to engage in such activities. Another common way to assess Android malware is by examining its behaviour. Some malware requires user manipulation, tricking them into enabling the malware as an accessibility service. Once enabled, the malware operates in the background, capturing screen contents and interacting with applications discreetly. This means that all your actions within the application can be recorded and manipulated. Attackers can redirect funds or modify transaction amounts using this approach.

MS: OK, and how about the keyloggers, for instance?

JV: I think that the accessibility service can provide a similar experience to a keylogger by reading all the input values entered into the application and potentially modifying them.

Additionally, if you decide to install a third-party keyboard because you prefer its colour or layout, you should be cautious. When you install such a keyboard, it has the capability to record everything you type and transmit it to an unknown destination. This poses a risk, so it’s important to be able to determine whether this is happening and to have an allowed list of approved keyboards for use with the application.

MS: OK. Thank you for the explanation. I assume that you frequently conduct analyses on the current state of security in market-available applications, particularly banking applications. Are these applications adequately protected against the risks you mentioned, or is there still room for improvement that banks need to address?

JV: Yes, we do conduct regular analyses of applications, and in fact, we have the App Threat Report from the end of 2022. In that report, we specifically focused on banking, payment, and financial apps. We examined whether these apps had any form of protection. Our approach was quite basic. We assessed whether it was possible to modify the application and whether it would still function properly after modification. To do this, we obtained the application directly from Google Play, unpacked it, made changes, and then installed it on our own device. We observed whether the modified application still worked and provided the same functionality as before.

What we discovered was that out of all the applications we tested (which included the top 100 global finance apps), approximately 50% of them continued to work without any issues after modification. We further categorized the apps based on their level of protection, finding that some applications had more safeguards in place than others. However, overall, around half of the tested applications had no protection whatsoever against these types of attacks.

This finding indicates that these applications are completely vulnerable to such attacks.

MS: And it’s important to emphasize that these are applications available in stores, downloaded by clients every day, and used by those clients on a daily basis.

JV: Yes.

MS: Right, there is still much work to be done to enhance security. I also wanted to discuss Promon’s broad scope of activities, as it extends beyond the financial institutions’ sector. You provide security for various types of applications, not just limited to financial ones. Do you notice any notable differences in protecting financial applications compared to applications from other sectors?

JV: I believe that the technology, from our perspective, is quite similar, but the incentives and what we aim to protect vary depending on the market and specific applications. Let me give you an example that I often use when discussing this topic. If you consider installing a banking application on your mobile phone for your regular everyday banking needs, the incentives for hacking this application are relatively low. Hacking or modifying your own banking application doesn’t grant you sudden access to additional funds because these applications typically work with a backend server where you have limited access, even if you modify the app itself.

On the other hand, let’s say you’re looking to hack a streaming application, such as your favourite movie streaming service or a game that includes annoying advertisements or commercials. In this case, if you can find a way to avoid watching those commercials or ads, you gain something. You have an incentive to do so, which also affects the game developer’s revenue. The technology can prevent both scenarios using similar techniques and technology, but the incentives and what needs protection differ based on user desires.

MS: Sure. When it comes to financial matters, during conversations with customers, they often express a keen interest in implementing secure solutions and additional layers of protection for their clients. However, they also have concerns that such measures may come with a high cost and be financially burdensome. How would you evaluate this? Should cyber security be assessed primarily based on costs, or should it be viewed as an expense versus an investment? This perspective offers an intriguing viewpoint as well.

JV: Yeah, that’s a good question. I personally see it as an additional level of insurance. The thing with insurance is that it may seem like an expense until the moment you actually need it. It’s often a cost that is visible upfront until you find yourself in a challenging situation and require protection. From that perspective, I consider it more of an investment.

MS: An investment, yes, and from the perspective of banks or any firm, it’s not just about potential financial losses but also the potential loss of reputation. Attacks can vary in scale and have different consequences. Based on your experience, is reputation protection an important factor for firms? While some firms may not be financially limited and can allocate any amount of money to security, are they more concerned about security itself or protecting their reputation?

JV: I believe that when it comes to financial institutions, there are three main factors that determine their investment in security. These factors can be categorized as follows:

  1. Concern for reputation: Financial institutions may fear the loss of their reputation, which is a valid concern. If a significant amount of money or a large number of customers are lost due to inadequate security measures, it becomes a genuine problem for the institution.
  2. Regulatory compliance: Certain banking regulations or even international law may require specific levels of protection. Regardless of the institution’s concern for reputation or its desire for enhanced security, compliance with these regulations becomes a visible and non-negotiable requirement, particularly in Europe and Asia.
  3. Pursuit of best security solution: Some banks prioritize implementing the best security solution available, usually alongside the factors above.

MS: So this leads us to the conclusion that security should not be seen as a costly burden but rather as something that provides both the client and the end user with a sense of security without compromising the user experience.

It’s important to emphasize that security measures should not hinder the overall satisfaction of using the application. Additionally, we must remember that even with the best level of protection, clients should use the application responsibly and exercise common sense, as no amount of security can fully substitute for the prudent usage of any application.

JV: Indeed.

MS: All right, Jan Vidar. Thank you a lot for this very interesting conversation. Thank you a lot for your time and valuable insights. We covered a wide range of interesting points during this talk.

If any further questions arise or you are interested in exploring the solutions offered by Promon, please don’t hesitate to reach out to us. I highly recommend visiting both of our companies’ websites and following us on social media for more information. Once again, thank you sincerely for being a part of this conversation.

Written by
Michał Sorbet
Michał Sorbet
Business Development Manager at FINANTEQ
Challenging security?