The impact of PSD2 on your financial app

PSD2 and what it means to your company
2019 is set to be a game-changing year for retail banking and FinTechs! As the PSD2 (Revised Payment Service Directive) becomes implemented and finally enforced on 14 September 2019, banks’ monopoly on their customer’s account information and payment services is becoming history.
In short, PSD2 enables both consumers and businesses, to use third-party providers to manage their finances. Soon you may be using your favorite social network to pay your bills, making peer-to-peer transfers and analyze your spending, while still having your money safely placed in your current bank account. PSD2 will fundamentally change the payments value chain and customer expectations.
Through PSD2, the European Commission aims to improve innovation, reinforce consumer protection and improve the security of internet payments and account access across the EU.

PSD2 and its implications on mobile security

The PSD2 guidelines set security requirements for payment services providers across the EU and will provide enhanced protection of EU consumers against payment fraud on the Internet. Specifically, the PSD2 security requirements for mobile apps are referred to in the Regulatory Technical Standards (RTS), for example, paragraph 26 and articles 9, 27 and 28.
RTS requires that the mobile app is running in a secure environment. This means that the integrity of the mobile device should be guaranteed and in case of compromise mitigation measures are taken. The same integrity and mitigation principles apply for the mobile app, too. Risk mitigation measures include the destruction, deactivation and revocation of the service. PSD2 also has a strong focus on data protection: data (e.g. certificates) shall be protected at rest, and when data flows between the mobile app and the service provider, the mobile apps should ensure the security of communication sessions and should avoid misdirection of communication.

Build38 makes your digital mobile channel PSD2 compliant
Your developers should focus on what they are best at: delivering business value, while Build38 provides mobile app security. Build38’s Trusted Application Kit (T.A.K) is a highly secure, holistic and easy to integrate mobile app security framework. It enables you to deliver PSD2 compliant mobile apps.
Build38’s approach to mobile app security is based on a unique triple-protection approach for compromise detection and continuous hardening: ensuring the integrity of device, app and security.
T.A.K can detect changes to the device’ secure execution environment, and in case of compromise or an ongoing attack, it can render its own function useless immediately. At the same time the app is secured by various In-App protection mechanisms, and while in use it is protected by RASP-technology (Runtime Application Self Protection). T.A.K protected data is never visible in clear nor can it be extracted from the device at runtime. When the same data is in motion the Secure Channel and Certificate Pinning prevent Man-in-the-middle (MITM) attacks.
It is Build38’s strong belief that in a changing digital landscape, app security isn’t a luxury. It is a necessity.
For more detailed information on Build38’s mobile app security please have a look at our whitepaper.

Build38 Recognized in Gartner 2019 Market Guide for In-App Protection

Munich, Germany, July 5, 2019 – Build38 GmbH, leading vendor of In-App protection and enabler of passwordless authentication solutions has been recognized as Representative Vendor in the Gartner July 2019 “Market Guide for In-App Protection” report. Gartner states, that “by 2022 at least 50% of successful attacks against clickjacking and mobile apps could have been prevented by using in-app protection.”

Build38’s Trusted Application Kit (T.A.K) secured mobile apps diagnose and protect themselves at runtime with Build38’s next generation RASP technology. T.A.K delivers valuable insights to service providers so that they can react on upcoming threats and fraud in real-time. To the end-user of your apps T.A.K remains invisible and non-intrusive, yet it gives your users a high level of trust and security.

T.A.K is a platform solution and an SDK for Android and iOS that allows a quick and easy development of highly secured and protected mobile apps. It is integrated into mobile apps within hours, therewith saves development costs and shortens the crucial time to launch the mobile app.

The Trusted Application Kit (T.A.K) is used globally and deployed by financial institutions, enterprise services, insurance companies, and the automotive industry.

Gartner recommendations is that “security and risk management leaders responsible for application security choose in-app protection for critical and high-value applications that run within untrusted environments and move software logic on the front end. The most common use cases will be mobile apps, single-page web apps (especially consumer-facing ones) and software on connected devices.”

“We hear almost daily that mobile apps need by far better protection than most people are aware of. We believe that Build38 helps customers to propel your app security to a new level of operational excellence. We believe this report acknowledges that In-App protection (application shielding) is a necessity to fight the growing numbers of attacks and fraud cases. We know that App security is not a luxury anymore, it is a must!” says Build38 CEO Dr. Christian Schlaeger. “We are convinced that our Trusted Application Kit, included in this Market Guide report is the most holistic solution in the market. We believe it provides a broad range of In-App protection features for the app and delivers risk- and fraud detection and prevention information to the service provider”.


Gartner subscribers may access the report here:

Gartner, Inc., "Market Guide for In-App Protection" by Dionisio Zumerle, Manjunath Bhat, 3 July 2019.

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


About Build38

Build38 is a global provider of mobile application protection solutions. Its Trusted Application Kit (T.A.K) represents a new generation of app-hardening technologies that protects apps from known and unknown attacks and opens the market to new digital business models. Build38 protects applications across various industries including automotive, financial, public transport and health care. Build38 is headquartered in Munich with global offices in Barcelona and Singapore. The company is a spin out of Giesecke + Devrient and ranks among the best IT Security startups in Germany. For further information about Build38 visit


Lessons from Japan: Preventing Account Takeover through App Security

Recently, it has appeared on the news that one of the largest convenience store chains in Japan, that uses a mobile wallet in order to perform payments associated to a credit card, has suffered an attack that ended up in the total loss of 55 Million Yen by almost 1,000 users. Based on public information, it is believed the attack was based on an account takeover scheme. The attacker started a password recovery process that ended up in sending an email with a password reset link.

Apparently, the process was implemented in a way that the user had the option to send the reset link to an alternative email address than the one that was originally used to sign for the account. This is a very strange practice as generally when resetting your password you use some element as the original root-of-trust (the original email address) but in this case it seems that they were using some very basic information like birth date as the root-of-trust.

Even if there is no evidence that the Mobile App was compromised and if additional countermeasures would have prevented the attack, the question here is: Can we design a password reset mechanism that can overcome the flaws of current methods? Beside this particular news, we have heard of many cases of account takeovers by attackers using SIM Card replacement mechanisms, where the Service Provider has to rely on the Mobile Network Operator / Carrier of the user to do the right verification before providing a SIM Card replacement.

Solving the issue: What if the Service Provider didn’t have to rely on third parties for that?

That brings us to an improved flow for the password recovery mechanism. Imagine you have a Mobile Wallet that you use to make purchases and you have a Mobile App in your phone, protected by some kind of user verification, e.g. Fingerprint or FaceID. One day, you want to access your account from a website. Or you are asked to login again and you forgot your account password. In a current scenario, the user would request a password reset and a link would be sent to their Email that once clicked would be used to set a new password. An alternative would be an SMS to their phone number with the link or a code for the password reset.

In the improved scenario, the Mobile App on the phone is strongly linked to it. This means that it can’t be copied to a different phone, the keys stored can’t be compromised or the communication sniffed. We also don’t have any need to rely on an SMS, whose phone number may have been compromised by poor carrier KYC mechanisms to get a SIM Replacement, or Emails that may be have compromised in multiple ways. This would work as follows: I want to login through the website but I can’t remember my password. I click on recover password. The user is asked through the website to open their app on the phone, do user verification, e.g. Fingerprint, and once is verified the possibility to define a new password is shown on the website. In the case of someone trying to take over the account, once they request the reset password link they will not get through as the real user is not going to open the app and accept the reset of the account.

Actually, such a flow would go in the direction of the Payments Japan Association guidelines that "requires the operators of mobile payment services to confirm the linkage between the devices of users and apps downloaded on them to prevent unauthorized access."

In the case that the user forgets the password and loses access to their phone at the same time, a specific “Red” path for the user verification shall be established. The good thing is that in this scenario, if an attacker is pretending to have lost their phone and forgot the password of the user, the actual user could be alerted of this happening though a warning to the App on the legit mobile device, being able to inform the Service Provider that they have not initiated such a process and alerting the Service Provider that an attack is happening.

Thus, using a strong device binding and a hardened app we can solve many of the risks associated with online account takeovers. Build38, through its family of technologies under the Trusted Application Kit (T.A.K) is able to make Service Providers independent of security processes of others, e.g. Mobile Network Operators / Carriers, Email and ISP providers. Contact us to learn more about Build38 and how we can help you transform your Mobile Security!



Image by TheDigitalWay from Pixabay

Together stronger – Build38 helps fellow Insuretechs with Best in Class analytics and App security

Trust and Analytics are essential for Insuretechs – afterall this is what you sell. Trust is hard to generate – especially for young Insuretechs but for everyone in the industry easy to lose. Munich Insuretech Hub start-up Build38 focuses on trust in mobile Apps – the number one sales channels for the digital natives and is highly praised for its advanced technology, analytical skills and easy integration by Gartner and customers.


Build38’s head architect Marc Obrador on Wednesday started prepping fellow Insuretechs for the mobile market, dangers from hackers and attackers and gave a well-received lesson on countermeasures and design principals. Several case studies made the participants review their current strategy: misuse of your process interfaces by malicious attackers or the competition can render your service useless or cause financial damages. Like in the case of one platform app that didn’t secure its interfaces and let an attacker flood its platform with illegal orders to subscribed insurance companies. After trust was lost, so was the business case for this young company. Or when the competition took apart the source code of an app and stole company secrets on underwriting and calculations – another major blow to a young fintech that could have been prevented.

Build 38’s service is the Trusted Application Kit T.A.K ( ) that integrates in the app by design and secures code, IP, user data and compliant PSD 2 authentication. The server component gives you great analytics on an app level that let’s you market and control your services better and basically enhances your app to become “self-defending” against attackers and the competition. Marketeers love the insights they gain and because the SDK approach makes development faster, they can try out much more flavours and variances in less time.

As a special treat and to great applause from the teams, Build38 offered the solution free of charge to all fellow Insuretech Startups for the first year: “there is absolutely no reason why you publish an unsecure app”, says Build38 CEO and Co-Founder Dr. Christian Schlaeger. “T.A.K is fast and easy to integrate and lets you focus on the important stuff for your startup: business models and innovation. For us it is a moral obligation and part of the Munich team spirit to make T.A.K usable to every young company in the Munich Insuretech Hub – together we are stronger!”

Speakers at Cybersecurity Thailand, organised by ETDA, RSA Conference and CyberTech

Build38 was present at the Cybersecurity Thailand conference organised by ETDA, RSA Conference and CyberTech. We were invited to be speakers as part of the Start-up showcase in front of an auditory of 300+ people. Great feedback was received about the innovative showcase that Build38 brings to the table of Service Providers, e.g. Banks, Automakers, Transit operators, that want to go with a Mobile First approach.

Pedro Hernandez was part of the delegation and responsible to deliver the speech during the second day of the event that was profusely reported in Thai media. Many valuable leads and connections were established that will help bring our #buildonBuild38 motto to Thailand!


Speakers at the European Cyber Security Organisation event in Madrid, Spain

Dr. Christian Schläger was invited, as CEO of Build38, to be a speaker at the latest networking event between Cyber Security Start-ups and ecosystem leaders organised by the European Cyber Security Organisation, ECSO, with the support of the National Cyber Security Institute of Spain, INCIBE. The event took place last Tuesday 14th of May, at the venue of the Secretary of State for Digital Advancement in Madrid with a packed auditorium and back-to-back private discussions with selected partners. Build38 showcased the progress done so far and excited the attendees with the next steps and potential from the business side. Gracias Madrid and see you soon! #buildonBuild38

Talk to an Expert and Get T.A.K

Build38 cooperates with InsurTech Hub Munich

Build38 is proud to cooperate with the InsurTech Hub Munich as a technology partner bringing Mobile Security to InsurTechs. The InsurTech Hub Munich is an important entrepreneurial platform that attracts, inspires and organizes key individuals and disruptors from all industries and technologies to work together on breakthrough, innovative insurance products and services to revolutionize the future of the insurance sector. With this collaboration, Build38 strives to achieve the highest security standards for mobile devices and comprehensive applications to best protect highly sensitive data for mobile insurance and user authentication to meet the needs of the insurance industry.

Contact us

XPeng Motors using CyWall from Build38 to secure its Digital Car Key solution

CyWall, the Mobile Application Security solution from Build38 for the Chinese market, is part of the Digital Car Key solution provided to XPeng Motors in China by the Digital Security Solutions provider Giesecke+Devrient Mobile Security. CyWall provides a key aspect of the solution as it allows the mobile app used to interact with the vehicle to be running securely on virtually any smartphone, be it Android or iOS. Combined with the physical Secure Element sitting on the car and the back-end as the Key Management System, the solution is meeting all the security requirements of the most innovative car manufacturers and continues establishing the solution as the gold standard in the China Market for Digital Card Key.

CyWall is use-case agnostic and can be applied to multiple verticals, from Auto-makers to Health-care providers, going through Financial Services, Transportation and Transit… any Solution that has a mobile application as the end-point for the consumer can benefit from the security and insights provided by it. #buildonBuild38 and supercharge your solution offering!

Talk to an Expert and Get CyWall / T.A.K

Build38 will be at Infosecurity Europe London

Build38 will be in London at Infosecurity Europe, starting 2019|06|04 until 2019|06|04. Europe´s leading event on cyber security and information is bringing experts from business, tech and cyber communities together. Meet us at Booth L140 and learn more about our approach on protecting companies and individuals.

000 days 00 hours 00 minutes 00 seconds

Infosecurity Europe London

Build38 Partner at CIBI Day Munich

Build38 will join the 18th CIBI Innovation Day coming up March 21st. The CIBI Day 2019 will take place at HBW Conference Center in Build38’s German hometown Munich. Handpicked contributors are invited to discuss the future of the finance and payment sector in the digital age. Host of the event is the IBI Network. As a new partner of the IBI Network Build38 gets to establish the relationship with the University of Regensburg and leading companies in the German banking industry.

000 days 00 hours 00 minutes 00 seconds

CIBI Day 2019 Munich