•  Second, your teams need to enable runtime visibility across various threat vectors, including
                   device, network, application, and phishing. Many security and development teams are operating
                   in the dark, with a limited understanding of the mobile threats targeting their applications on end-
                   user  devices  in  real-time.  Zimperium  research  found  that  most  apps  are  not  compliant  with
                   OWASP and MASVS to a great extent. To close this gap, real-time visibility is imperative for active
                   identification and reporting of risks.
               •  Third, deploy on-device protection for real-time threat response. Once you have real-time
                   threat visibility nailed down, it’s time for real-time response. The whole point of visibility is to
                   respond to threats immediately, not hours or days after. This ability to take action should be
                   autonomous,  requiring  no  dependency  on  network  connectivity  or  back-end  server
                   communication. Of course, the response will depend on the severity and context of the threat,
                   which could include halting the application, changing its behavior dynamically, or redirecting the
                   user to educational material.
               •  Lastly, it’s vital to invest attention and training towards the consumer, educating and ensuring
                   that they don’t remain a weak point in organizational security. As users of your organization’s
                   banking application, it’s important they are aware of the danger of too many permissions. Granting
                   accessibility permissions without closely looking at what they are requesting can be risky because
                   these  permissions  can  give  apps  broad  control  over  a  device’s  functionalities.  One  of  the
                   giveaways that an app is fake is that banking trojans will usually ask for tons of permissions and
                   then will exploit accessibility features to automate transactions, capture sensitive data (such as
                   passwords) or overlay fake login screens on legitimate banking apps.

            Attacks targeting mobile applications do share many similarities across industries, but as the security
            voice for your bank or financial institution, there are nuances in your industry that need to be top of mind.
            A truly mobile-powered business needs a mobile-first security strategy – and banking institutions that
            offer applications for their users or employees should remain keen to the tactics of banking trojans and
            financially-motivated cyber criminals at all times.



            About the Author

            Krishna  Vishnubhotla  is  a  seasoned  professional  in  the  SaaS  industry,
            specializing in catalyzing startup growth through adept product and marketing
            strategies. With a keen focus on mobile application security products, he has
            a  proven track  record  in  defining  and  executing  product  visions  that  drive
            significant  revenue  growth.  In  addition  to  managing  a  global  customer
            success  portfolio,  he  established  high-value  strategic  partnerships.  His
            leadership skills extend to spearheading revenue generation efforts, serving
            a diverse clientele across multiple industries.

            Krishna can be reached online at his LinkedIn (https://www.linkedin.com/in/krishna-vishnubhotla/) and at
            his company website https://www.zimperium.com/.









            Cyber Defense eMagazine – June 2024 Edition                                                                                                                                                                                                          159
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.