go back

Mobile Banking Security Weekly #2

· Khoi Van
android ios security banking weekly-bulletin

🔴 Critical Updates

16KB PAGE SIZE MANDATE · CRITICAL
Google Play requirement for all apps with native code
Deadline: November 1, 2025

iOS 18.6.2 ZERO-DAY · CRITICAL
CVE-2025-43300 actively exploited
Update immediately

🤖 Android

16KB Page Size Requirement · NEW

CRITICAL Deadline: November 1, 2025

All apps targeting Android 15+ with native code must support 16KB page sizes. Apps failing this requirement will be blocked from Google Play submission.

Why This Matters:

  • Modern devices with 12GB+ RAM adopting 16KB pages for performance
  • 3-30% faster app launches, 4.5% battery improvement
  • 8% faster boot times, 4.5-6.6% faster camera starts

Impact: Build pipeline, NDK libraries, Payment SDKs

Immediate Actions:

  • Enable 16KB page size emulator for testing
  • Rebuild all NDK libraries with latest toolchain
  • Update third-party SDKs to 16KB-compatible versions
  • Run APK Analyzer in Android Studio 2025.1.2

Test Matrix: Android 15+ with 16KB page configuration

Play Billing Library v7 Requirement

HIGH Deadline: November 1, 2025

Play Billing Library v5/v6 deprecated. Upgrade to v7.x required for all payment flows.

Impact: In-app purchases, Subscription management

Actions:

  • Migrate from com.android.billingclient:billing:6.x to 7.x
  • Test purchase flows on production track
  • Verify subscription upgrade/downgrade scenarios

Test Matrix: Android API 29-36 with PBL v7

Chrome/WebView 140 Early Stable

MEDIUM Rolling out: August 27, 2025

Chrome 140 introduces Local Network Access permission requirements affecting OAuth/SSO flows.

Key Changes:

  • Permission prompts for local network requests
  • Restricts public → local IP/loopback requests
  • Enhanced CSRF protection for local devices

Impact: SSO/OAuth, 3DS WebView, Internal APIs

Actions:

  • Test OAuth flows in WebView 140
  • Review CSP headers for local API calls
  • Update network permission manifests
  • Monitor crash reports after auto-update

Test Matrix: Android API 29-36 / WebView 140.x

🍎 iOS

iOS 18.6.2 Zero-Day Patch

CRITICAL CVE-2025-43300 (CVSS 8.8)

ImageIO out-of-bounds write vulnerability actively exploited in targeted attacks. Processing malicious images can lead to memory corruption and RCE.

Attack Vector: Malicious images via email/messaging/web

Impact: Camera/KYC flows, Document scanning, Profile uploads

Immediate Actions:

  • Update all test devices to iOS 18.6.2
  • Review image processing pipelines
  • Test camera/document capture flows
  • Monitor ImageIO crash signatures

Test Matrix: iOS 18.6.2 / WKWebView 18.6.x

macOS Sequoia 15.6.1 · Related Update

HIGH Same CVE-2025-43300

Desktop apps and internal tools also affected. Update development machines.

Actions:

  • Update macOS dev machines to 15.6.1
  • Rebuild iOS simulators after update
  • Test Catalyst apps if applicable

🌐 Cross-Platform

React Native 0.81

LOW Released: August 12, 2025

Major update with Android 16 support and edge-to-edge requirements.

Breaking Changes:

  • SafeAreaView deprecated (use react-native-safe-area-context)
  • Edge-to-edge mandatory on Android 16
  • JavaScriptCore moved to community package

New Features:

  • 10x faster iOS builds (experimental)
  • Native Android 16 support
  • 16KB page size compliant

Migration Actions:

  • Replace SafeAreaView implementations
  • Test edge-to-edge on tablets
  • Update to Hermes or add JSC package

Test Matrix: Android API 29-36 / iOS 17-18

🛡️ Security & Tamper Detection

Frida 17.2.17 Update

MEDIUM Released: August 20, 2025

New Interceptor behavior on iOS. Update detection patterns.

Impact: RASP/Anti-tampering, Hook detection

Actions:

  • Update Frida detection signatures
  • Test ptrace/injection detection
  • Verify hook detection at sensitive screens
  • Review symbol/port detection logic

Test Matrix: Android 13-16 / iOS 17-18

Magisk v30.2 Pre-release

LOW Pre-release: August 2025

Zygisk/denylist improvements. Monitor for banking app detection changes.

Actions:

  • Test against Magisk stable vs v30.2
  • Check ro.debuggable/su detection
  • Update Play Integrity rules
  • Monitor root detection bypass reports

Test Matrix: Android 13-16 with various root configurations

👁️ Community Watchlist

⚠️ Unverified community reports - awaiting official confirmation

Enhanced Banking App Detection

VOZ Report #1: MBBank/VNeID increasing root detection

  • Reports of ReZygisk/HMA/KernelSU Next detection
  • Zimperium blocking via bindhost/NextDNS
  • Source: 7+ posts last 7 days · low-trust
  • VOZ Thread Page 312

Play Integrity Changes

VOZ Report #2: MEETS_STRONG_INTEGRITY requirements

  • Some devices achieving STRONG but apps only checking BASIC
  • GPay compatibility discussions
  • Source: Multiple reports · low-trust
  • VOZ Thread Page 313

📊 Week-over-Week Changes

New This Week

  • ✅ 16KB page size mandate (November 1 deadline)
  • ✅ iOS 18.6.2 zero-day (CVE-2025-43300)
  • ✅ Chrome/WebView 140 rollout
  • ✅ React Native 0.81 with Android 16 support
  • ✅ Play Billing Library v7 requirement

Continuing from Last Week

  • Google Play API 35 requirement (extended to Nov 1)
  • Android Security Bulletin SPL 2025-08-05
  • Flutter 3.35 stable release

Next Week Preview

  • iOS 18.7 beta evaluation
  • Android 16 compatibility deep-dive
  • 16KB page size migration guide
  • WebView 140 production metrics

Mobile Banking Security Weekly #2 · September 2, 2025
Critical updates require immediate action · Plan your November 1 compliance
Questions? Contact security@yourbank.com

Comments