Proliferation and Ubiquity of Mobile Banking Apps in Asia
The use of mobile apps has been growing at a rapid rate. In short order, these apps have revolutionized the way we live, work, and interact. From entertainment and communication to transportation and shopping, mobile technology has permeated almost every aspect of our daily lives. Banking is no exception. Once a niche service, mobile banking now forms a significant part of the financial services landscape—especially in Asia.
Take Singapore, for example. A staggering 89% of consumers in the country are now using mobile banking, according to recent data from Statista. Driven by gains in access and convenience, mobile banking is expected to continue to see rapid growth, particularly in regions where mobile solutions are emerging as the most effective way to reach a large, diverse population. Across Asia, KBV Research estimates that the mobile banking market will expand at a compound annual growth rate (CAGR) of more than 17% between 2024 and 2031.
Evolving Digital Services, Increasing Risks of Digital Banking
As digital banking services evolve, new players and innovative services continue to enter the market. A particularly noteworthy trend is the rise of “super apps”—platforms that began with a single core service but have expanded to offer a wide range of digital services. One of the most iconic examples of a super app is WeChat. Initially launched as a messaging app, WeChat has grown to become a one-stop shop for everything from digital payments to e-commerce, catering to over 1.2 billion users, primarily in China.
This shift towards super apps is not just limited to China, however. Throughout Asia, super apps like Grab in Singapore, Line in Thailand, GoTo in Indonesia, and Zalo in Vietnam appear poised to gain increased traction. These apps offer a rich ecosystem of services and an ease of customer experiences, making them incredibly appealing to users.
The continued innovations in fintech mobile apps, and mobile banking in particular, have ushered in compelling benefits to app providers and consumers alike. However, these evolving apps also present a significant security risk. With such vast amounts of data being handled, they have become prime targets for cybercriminals seeking to exploit vulnerabilities and perpetrate a range of nefarious objectives, including identity theft, fraud, espionage, and more.
Recent Incidents Underscore the Significant Risks
Several recent examples underscore the vulnerabilities posed by mobile banking apps, the devastating nature of breaches, and the corresponding urgency of securing mobile banking apps as well as devices.
For example, an auditing firm in Thailand was using a mobile banking app for core transactions, including employee payments, and experienced a breach. Within just 30 seconds of the attack, the firm experienced losses of 2 million Baht (approximately $60,000 USD).
Another example from Thailand comes from the app Fineasy. This fintech lending app was found to be installed on users’ phones without their knowledge. Users reported being unable to remove the app, and it was also found to access sensitive data, including contacts, and send unsolicited notifications. Unsuspecting users who did actually take a loan out through the service were reportedly subject to 40% interest, which is illegal in Thailand.
These incidents highlight the growing sophistication and risk of malicious mobile apps targeting consumers and businesses alike.
3 Key Imperatives for Mobile Banking App Providers in the Asian Market
#1. Guard Against Evolving, Increasingly Sophisticated Threats
As use and number of digital banking platforms grow, so too do the threats targeting them. Now these apps are exposed to a significant range of risks:
- Data breaches. Sensitive financial data is a prime target for cybercriminals, and data breaches can lead to reputational damage, legal consequences, and significant financial losses.
- Phishing attacks. Cybercriminals often use fraudulent emails or websites to trick users into providing login credentials, personal information, and financial data.
- Identity theft. A common result of phishing or data breaches, identity theft can lead to considerable financial and reputational harm.
- Ransomware. Through this type of attack, malicious actors lock up a company’s systems or data and demand payment for release. These attacks have had a devastating financial and operational impact on organizations in a wide range of industries and regions.
- API vulnerabilities. Weaknesses in APIs, such as insufficient authentication and poor control over user permissions, can expose sensitive data to attackers.
#2. Comply with Evolving, Complex Regulations, Standards, and Laws
Financial institutions across Asia face an increasingly complex regulatory environment, with evolving rules aimed at protecting both consumer data and the integrity of financial systems. Here are some of the most prominent regulations:
Singapore’s Safe App Standard
Developed by the Cyber Security Agency of Singapore, the Safe App Standard sets out essential best practices for securing mobile apps. Guidelines are intended to help app developers and providers counter mobile malware and scam exploits in Singapore. The standard offers guidelines around high-risk scenarios, including account changes, such as adding third-party payees or increasing transfer limits; high-value transactions; or changes to app security configurations.
The standard covers such areas as authentication, storage, anti-tampering, cryptography, and code quality and exploit mitigation. In the area of code quality and exploit mitigation, the standard outlines such key efforts as enforcing application security updates, ensuring the integrity and availability of the app and its processes, and establishing secure dependencies, for example with software, platforms, and third parties.
The standard also covers techniques like ensuring attackers can’t intercept or modify the behavior of an app at runtime, a process known as hooking. The standard also provides detailed guidelines around the management of inter-process communications (IPC), and underscores the importance of app security testing to verify the secure implementation of IPC mechanisms.
Malaysia’s Risk Management in Technology standard
The Risk Management in Technology standard is focused on the need for all financial institutions to implement robust risk management controls and establish a secure framework for technological innovations. This standard specifies the minimum standards that financial institutions in Malaysia must meet in order to mitigate technology risk. The standard details a number of measures required for keeping systems and customer information secure, including continuous assessments and dedicated programs for combatting cyber attacks.
Risk Management in Technology includes detailed requirements around the control measures that need to be employed to secure mobile applications and devices. For example, the standard requires that organizations “design the mobile application to operate in a secure and tamper-proof environment within the mobile devices.”
Monetary Authority of Singapore (MAS) Requirements
The Monetary Authority of Singapore (MAS) is the central bank and financial regulator for the country. MAS provides detailed rules around governance, risk management, anti-money laundering, and more. The organization’s Technology Risk Management (TRM) Guidelines are a set of best practices that financial institutions in Singapore must follow. These guidelines cover such areas as data protection, user authentication, and overall app security.
The TRM Guidelines include many specific requirements for mobile application security, including protecting private cryptographic keys, implementing anti-tampering methods, employing application integrity checks, and establishing safeguards to protect against man-in-the-middle attacks.
In addition, MAS has issued several directives, including Notice #FSM-N06, “Notice on Cyber Hygiene.” This directive details the cybersecurity standards banks must adhere to, including securing administrative accounts, strengthening user authentication, and implementing anti-malware measures.
Asia-Pacific Economic Cooperation (APEC) Data Transfer Rules
The APEC Cross-border Privacy Enforcement Arrangement (CPEA) creates a framework for regional cooperation in the enforcement of privacy laws. This voluntary framework seeks to enable organizations from member countries to transfer data more seamlessly, while ensuring data protection. The framework requires appropriate measures to safeguard consumer information, including preventing loss and unauthorized access, processing, use, and disclosure.
CPEA is administered by the US Federal Trade Commission and the Personal Information Protection Commission of Japan. To date, participants include dozens of commissions and ministries, including from Australia, Canada, Chinese Taipei, Korea, Mexico, Philippines, and Singapore.
Indonesia’s OJK Regulations
OJK is the financial services authority in Indonesia and is responsible for creating and enforcing standards that apply across the financial services industry, including mobile banking apps and digital banking. OJK requires financial institutions to establish solid governance, risk management, and security measures.
These standards specify the need for customer data to be secured. Regulations require banks to conduct assessments of their risks and maturity, disclose their findings, and report on any cyber incidents. Under the standards, banks must do regular cyber security testing, including vulnerability analysis and scenario-based testing.
Personal Data Protection Acts (PDPA) in Singapore and Thailand
PDPAs have been implemented in Singapore and Thailand. Broadly, these acts provide rules around how organizations collect, use, provision, and handle personal data. Both acts require businesses to notify victims of data breaches and they impose penalties for non-compliance.
The Singapore act has requirements broken into three key categories with respect to personal data: collection, care, and individual autonomy. When it comes to how personal data is cared for, the act calls for protections that safeguard data from unauthorized access, collection, use, and disclosure.
Thailand’s PDPA also gives individuals rights over how their personal information is collected and used. The act applies to businesses that manage or access personal data of Thai citizens, whether those businesses are based inside or outside the country. Late in 2024, Thailand imposed its first fine under the rule. A private company was fined 7 million Thai Bhat (more than $200,000) for a series of compliance failures.
#3. Prepare for a New Era of Accountability
Governments across Asia are starting to hold businesses accountable not only for preventing cyber incidents but also for addressing their impacts in the aftermath.
In Thailand, for example, the Minister of Digital Economy and Society announced plans for an executive order that would compel banks and mobile service providers to compensate victims of cyber scams.
Similarly, the MAS and Infocomm Media Development Authority (IMDA) have introduced a Shared Responsibility Framework, outlining specific cybersecurity duties that telecom companies and financial institutions, including banks and major payment service providers, must meet to prevent phishing and fraud. Further, this framework holds these organizations liable if they fail to uphold those responsibilities, requiring companies to compensate victims. The framework views financial institutions as having primary responsibility, being first in line to compensate victims if they breach their duties. If an unauthorized transaction occurs, and the organization is found to be out of compliance, that entity will be held responsible for bearing those losses.
The standard covers phishing scams that employ digital links that drive targets to fake websites, for example. Under the framework, financial institutions are responsible for implementing such tactics as real-time alerts for potential high-risk actions, fraud surveillance, and a cooling off period delaying activities after a change, such as a new device being logged in.
How Quokka Can Help
As mobile apps become the primary method for purchases, banking, and investing across Asia, the need for robust security measures has never been more critical. To safeguard both consumer and corporate data, financial institutions must implement cutting-edge security solutions. This is where tools from Quokka—Q-mast and Q-scout—come in.
Q-mast: Revolutionizing Mobile App Security Testing
Q-mast is a mobile app security testing (MAST) solution designed for app developers. It enables them to incorporate MAST into their development process, ensuring that every app is built securely from the ground up. By automating security tests within the CI/CD pipeline, Q-mast provides detailed reports on potential threats, remediation suggestions, and pass/fail evidence. Thanks to its proprietary technology, the Q-mast analysis engine delivers deeper, more thorough inspection than any other MAST solution on the market.
Q-scout: Enhancing Security for Mobile Banking Apps
For financial firms in Asia, Q-scout offers advanced protection for bank employees. It scans both managed and personal apps for malicious behavior and enforces strict data transmission policies. For example, the solution can identify suspicious apps, such as those that attempt to obtain unnecessary permissions, collect a lot of user data, or send data to problematic locations. In this way, the solution can help defend against malicious actors that are looking to collect data to pursue spear phishing attacks, for example.
Additionally, Q-scout ensures compliance with industry standards, while maintaining privacy protections for employees and customers alike. The solution streamlines security management, making it an ideal solution for organizations looking to prioritize mobile security with minimal IT involvement.
Conclusion
The rapid growth of mobile banking in Asia presents immense opportunities but also significant risks. While digital services become more integrated into daily life, cybercriminals continue to employ more sophisticated and persistent attacks. Financial institutions must stay ahead of evolving risks by implementing robust security measures, complying with complex regulations, and embracing a new era of accountability.
Tools like Q-mast and Q-scout provide the security capabilities today’s financial services institutions need. With these solutions, organizations can establish strong safeguards around mobile apps and the sensitive data they handle. With the solutions, teams can continue to deliver convenient mobile banking services, without sacrificing security. To learn more about how Quokka can help, contact us.
