How to stop 6 common insurtech, mobile app security attacks

The future of insurance is clearly digital, and no one has bought into this more than consumers. J.D. Power, for example, found that usage of insurance mobile apps increased 26% in 2021 over 2020. Also, customer satisfaction was substantially higher across all measures among those who used insurers’ mobile apps. 

Digitally literate millennials are open to getting coverage from a non-traditional insurance provider, including insurtechs, according to research from Bain. Still, only about a quarter, 27%, of users are creating policies via a website or mobile app, so there’s plenty of room for growth in this burgeoning new space of insurtech. 

Unfortunately, as more consumers work with insurtechs and their mobile apps, these apps become more tempting targets for hackers. After all, these apps contain and manage sensitive information that criminals can use for fraud and other kinds of schemes. Breaches are already occurring — in 2019, State Farm experienced a credential stuffing attack that enabled hackers to access accounts. And governments are fining insurers for data breaches. Last year, for example, the New York Department of Financial Services fined Paul Revere Life Insurance Co. $1.8 million and National Securities Co. $3 million for breaches and non-compliance. 

Successful attacks can not only result in fines, but they can also serve as the basis for class action lawsuits and the surrounding publicity of a breach damages the company’s brand. So it’s in insurers’ and insurtechs’ interests to ensure that their mobile apps — a source of customer satisfaction and an avenue for growth — are secure.

There are myriad ways to attack a mobile app, but in my experience, there are six that are the most common. By securing mobile apps against them, insurers and insurtechs will go a long way towards protecting both policyholders and themselves.

1. Theft of policyholders’ person information: Insurer and insurtech mobile apps hold a lot of personal information that’s extremely valuable to cybercriminals, including Social Security numbers, dates of birth, marital status, addresses, full names, drivers’ license numbers, and even detailed information on vehicles such as the VIN and license plate number. It’s a treasure trove of data that can be used for all kinds of identity theft schemes. 

The best way to protect this data is to encrypt it, using strong encryption such as AES 256. Encryption should also cover all API data, such as payload, tokens, keys and URLs. Finally, don’t overlook data in the app sandbox and preferences. Data in these locations also need to be encrypted. 

2. Location information: Many insurtech and insurance mobile apps track geolocation data. Some companies, such as Revolut, use a policyholder’s location to activate and deactivate insurance based on their physical location, while some auto insurance apps use it to monitor driving habits to provide discounts to safe drivers. 

If a hacker can jailbreak or root a device, they gain higher privileges, which enables them to gain a great deal of control over an operating system and access geolocation data. Preventing this kind of attack requires enabling the app to detect when it’s running on a jailbroken or rooted device and then preventing it from continuing to operate in that environment. 

3. Data entry: It’s common for mobile malware to employ a trick known as an overlay, where a transparent or fake screen is presented to users so they believe that they’re entering data into the insurance app, when in fact they’re engaging with the malware, which is harvesting their data. Malware keyloggers accomplish this same goal through different means. Mobile apps need to be able to detect overlay and keylogger attacks so they can shut down when they detect that they are active.

4. User transactions: Especially since a significant number of insurtech apps such as Metromile and Lemonade enable users to pay as they go, adding additional coverage as they need it, insurtech apps can be targets for attacks on payment information. The most effective way to protect payment information, both stored on the device and in transit, is to comply with the Payment Card Industry Security Standard. Non-compliance carries stiff penalties, including a company losing its ability to accept these kinds of payments.  

5. Reverse engineering: Cybercriminals routinely abuse the dynamic and static analysis tools that are used to identify mobile app security issues to understand the internal logic of the app. With this information, they can create trojans that look and feel like the real thing but wreak havoc on users’ devices and applications. Cybercriminals can also use it to mount sophisticated and highly effective fraud and cyberattack campaigns. 

Preventing reverse engineering requires obfuscation of the binary code, native and non-native libraries, and shielding the app with anti-debugging, anti-tampering and anti-reversing protections.  

6. Networks: A significant number of insurtech and insurance apps use insecure communication protocols like HTTP, and TLS 1.1 to transmit information, which enables cybercriminals to launch “man-in-the-middle” attacks on data in transit. Not only can hackers collect this information, but they can also manipulate it. Protecting against these kinds of attacks requires protecting app connections with transport layer security 1.3, TLS version enforcement, secure certificate validation and pinning and malicious proxy detection. 

Mobile apps provide an incredible opportunity for growth, both for insurers and insurtechs. But unless these apps are secure, customers will be leery of using them, stunting potential. By implementing protections against these six threats, insurers and insurtechs can significantly increase the protection they provide to customers and themselves.