esDynamic
Manage your attack workflows in a powerful and collaborative platform.
Expertise Modules
Executable catalog of attacks and techniques.
Infrastructure
Integrate your lab equipment and remotely manage your bench.
Lab equipments
Upgrade your lab with the latest hardware technologies.
Side Channel Attacks
Evaluate cryptography algorithms from data acquitition to result visualisation.
Fault Injection Attacks
Laser, Electromagnetic or Glitch to exploit a physical disruption.
Security Failure Analysis
Explore photoemission and thermal laser stimulation techniques.
Evaluation Lab
Our team is ready to provide expert analysis of your hardware.
Starter Kits
Build know-how via built-in use cases developed on modern chips.
Cybersecurity Training
Grow expertise with hands-on training modules guided by a coach.
esReverse
Static, dynamic and stress testing in a powerful and collaborative platform.
Extension: Intel x86, x64
Dynamic analyses for x86/x64 binaries with dedicated emulation frameworks.
Extension: ARM 32, 64
Dynamic analyses for ARM binaries with dedicated emulation frameworks.
Penetration Testing
Identify and exploit system vulnerabilities in a single platform.
Vulnerability Research
Uncover and address security gaps faster and more efficiently.
Malevolent Code Analysis
Effectively detect and neutralise harmful software.
Digital Forensics
Collaboratively analyse data to ensure thorough investigation.
Software Assessment
Our team is ready to provide expert analysis of your binary code.
Cybersecurity training
Grow expertise with hands-on training modules guided by a coach.
Semiconductor
Security Labs
Governmental agencies
Academics
Why eShard?
Our team
Careers
Youtube
Gitlab
Github
For several months, LCL customers were victims of bank fraud. A total of more than β¬300,000 has been deducted from the victim's account.
Even now, months after the initial attack, the location of this money remains unknown. The attack method is still under investigation, but the combination of mobile app reverse engineering and phishing is a preliminary guess.
Nonetheless, some attack techniques that enable such incidents allow hackers to misuse customer personal information leaked elsewhere or to exploit simple flaws in mobile banking apps to display sensitive information. So the question is: how secure are European Mobile Banking Apps?
The French market lags behind other European countries. However, among the European leaders is Neuflize OBC (ABN AMRO), one of the top banks in France. The French podium also consists of Ma French Bank and CIC. Neuflize OBC performs significantly better than other French banks, primarily due to its protection against reverse engineering (root detection and code tampering detection).
Β
Mobile applications are a new attack surface that many banks cannot yet protect. If a hacker succeeds in reverting the underlying code of a mobile application, it can gain access to sensitive data hidden in that code.
Using the information obtained, hackers can further recover API keys and use them to attack back-end servers and compromise more user data. Let's look at an example.
In 2016, Tesco Bank in the United Kingdom was attacked by hackers reverse engineering both web and mobile apps to abuse customer credentials and communications. Despite the fact that security testing experts issued multiple warnings about the incident, Tesco Bank's omissions eventually resulted in the withdrawal of Β£2.26 million from over 9,000 accounts overnight. A fine of Β£16.4 million was imposed.
Β
Stakeholders inside the bank receive phishing emails with attack sublayers or malware attached. When someone opens an attached document, it loads an underlayer or malware that gives hackers access to passwords, documents, transactions, and transfers.
The authority to approve transfers and manage ATMs may also be disclosed. In some cases, malware that combines Trojan horses and botnet attacks can allow an attacker to remotely control a bank's computer and handle malicious transactions.
Β
Malware can be disguised in any way and often impersonates popular apps such as Netflix and WhatsApp. The intended purpose is also very different. A common malware attack is a banking Trojan that can spread via SMS and social engineering.
For example, a Marcher banking Trojan, also known as Exobot, is phishing the target device. One of Exobot's attack layers is overlay attacks. It has an overlay window that is different from the expected screen, such as the Login screen to steal bank details. Target lists and fake bank-specific login pages can be updated from the dashboard backend panel, allowing attackers to easily adapt and scale up quickly.
It is very important to remember that each security layer is independent, but not mutually exclusive. Implementing security protection on one layer does not guarantee resistance to attacks on other layers. Hackers can always find the entry point unless all layers are fully protected.
Β
Mobile applications are a completely different paradigm than web applications.
They have their own opportunities and risks. Protecting and protecting mobile applications is not an easy task. During the mobile application development phase, by automating binary security testing as new updates become available, mobile engineers can identify what needs to be protected and protected. Here, DevOps becomes DevSecOps.
eShard has developed esChecker, an online tool that allows businesses to automate security testing of Android and iOS apps.
Do you need continuous testing integrated into the SDLC or as a one-shot test? esChecker helps you assess the potential risks of mobile applications. Start your free trial.