To retain its leading position and meet customer demand, the bank continually created new apps and maintained existing ones. App identification and management became a difficult, if not impossible, task because the bank’s consumer banking groups, internal business units and institutional banking divisions created multiple apps. Additionally, external third parties were creating and releasing bank-branded apps to promote marketing events and sponsorships.

With this massive proliferation of apps, the bank did not know if the apps available in mobile app stores were legitimate or if they had gone through the proper security checks prior to release. Even one copycat or fraudulent app could compromise customer privacy or sensitive financial data and damage the bank’s reputation.

RiskIQ helps the bank establish a mobile app management program to protect customers from fraudulent interactions and data theft

In 2011, with the help of RiskIQ, the bank established a mobile app management program to create a dynamic inventory of known and unknown mobile assets and analyze them for threats and vulnerabilities.

“Major brands might not realize the volume of deals the company is involved with,” said the bank’s Director of Client Services and Digital Brand Protection. “A sporting event sponsorship might involve the creation of a third-party mobile app, which falls into a gray area of policy because we didn’t develop the program.”

RiskIQ continuously scans mobile app stores and apps to detect malware, application tampering, and brand impersonation, as well as to safeguard brand reputation
Using RiskIQ, the bank discovered apps based on keywords—in the app titles, descriptions, developer names and code. It also employed RiskIQ logo detection to identify mobile apps using its logos.

RiskIQ creates a dynamic inventory of known and unknown mobile assets to keep a pulse on the bank’s entire mobile app footprint

Presented with a complete set of app assets, the bank’s security team located each app’s business owners to verify security policy compliance and to confirm required security documentation before the apps’ release.

RiskIQ continues to tracks a variety of apps for the bank, including:

• New apps – RiskIQ monitors the spread of new apps through the app store ecosystem and verifies whether an app in a secondary store is the same as the one available on Google Play.
• App updates – When existing app updates are available, RiskIQ notifies the bank, to verify the legitimacy of these updates.
• Resolved apps – The bank is also notified when apps are no longer available in an app store.
• By using RiskIQ, the bank has received a robust, real-time footprint of its mobile app presence, for ease of continuous analysis to find threats and vulnerabilities. RiskIQ also protects the bank’s customers and employees from fraudulent interactions bearing its brand.

With RiskIQ, the bank created a dynamic mapping of its app presence, provided structure on how programs were deployed and discovered additional threats.

While the bank’s initial need was to control app distribution and exposure, the bank discovered additional use cases. By searching RiskIQ’s database for its brand names inside app descriptions, the bank identified potential threats posed by aggregator apps. Aggregator apps offering an aggregate view of customers’ financial positions are extremely risky because they collect login and password information for multiple bank and financial accounts and often store them insecurely on servers. If the servers are hacked, banking logins and password credentials could be sold underground, creating a risk for the bank.

During the next three years, the bank saw numerous other benefits, including staying abreast of emerging threats like malware and continuously monitoring apps to ensure that no updates contained malicious content.

Because RiskIQ continuously scans app stores for authorized and unauthorized apps associated with the bank, it gained visibility into more than 100 app stores and included these stores in the app discovery process. While the bank had solid relationships with official app stores, it started addressing the risk that secondary and affiliate app stores pose.

To further improve its program and measure success, the bank measured the time from malware event identification to event close to determine how quickly the team acted.

As a result, the bank can stand confidently behind named apps, knowing that those apps are bank-controlled and customer-safe.