Leading Neobanks like Revolut, Nubank, Starling Bank, and many others keep challenging the banking industry and setting new standards — but all these Neobanks have their own challenges to address, specifically when it comes to application security.
Note: As per the request of our clients, we have anonymized all company and personal names.
The Neobanking Model: From Innovation to Satisfaction
Neobanks defy traditional banking by betting everything on digital and delivering customer-centric services for payments and money management. Today, 73% of all consumer interactions with banks are done digitally. While traditional banks have invested in Web and mobile platforms, Neobanks release twice as many new features and three times more app updates per year. They also run 42% faster than incumbents. As a result, user satisfaction ratings for Neobanks in the US (90%) are much higher than that of traditional banks (66%).
Faster Development, Larger Attack Surface
Jscrambler x Neobanks: Managing Application Security
There was a high likelihood of having to run sensitive logic on the client-side, and so it became paramount to guarantee that this logic would be concealed with the most potent and resilient technology available today. As so, it was mandatory to ensure that automated reverse-engineering tools would always fail to reverse the concealed code, as it would be extremely unfeasible for attackers to achieve it manually. This goes hand in hand with the security recommendations from the OWASP Mobile Application Security Verification Standard (MASVS).
"We’re called “challenger banks” for a reason - one of our toughest challenges is still gaining customer trust. When handling their data, we can’t just meet the minimum requirements - we must excel at it and keep data safe at all costs."
"The concealed code looks like absolute non-sense and passed all of our tests. Being able to pick from dozens of well-documented transformations and fine-tune each one was very important."
Following obfuscation, these Neobanks leveraged an additional Jscrambler security layer to meet the challenges of preventing application tampering and client-side data exfiltration: self-defending. With this runtime protection, their apps gained a series of integrity checks that detect every debugging attempt and also break the app whenever tampering occurs. Taking advantage of other client-side countermeasures, such as calling a custom function, has enabled these Neobanks to further stop malicious users.
Neobanks’ Security Engineers were well aware of the problem and the required steps for solving it. After the initial setup of their Jscrambler instance, it took on average 1 week and 2 meetings with Jscrambler’s Engineers to integrate Jscrambler seamlessly into their CI/CD pipeline. From there, Jscrambler became an automated part of their application build process.
5 Web and Mobile Applications secured in 1 week
"Today, not a single product ships without secure client-side logic - and this has been extremely effective."
In parallel, security teams were able to fulfill several security recommendations by OWASP, namely the OWASP Mobile Top 10, which states “in order to prevent effective reverse engineering, you must use an obfuscation tool” and “The app must be able to react appropriately at runtime to a code integrity violation”.
To maintain their edge in the banking race, Neobanks need to maintain the integrity and security of their applications. To do it, they need powerful enterprise-grade solutions that offer them the flexibility and ease of implementation they need to continue innovating at a fast pace.