How safe are your mobile banking apps?

1 June 2012 Information Security

Not very, based on the findings of a 2011 study by digital forensics and security firm, viaForensics. According to the study, 25% of the mobile banking apps tested did not provide adequate security: passwords, partial credit card details, payment history and transaction details were easily retrieved from the handset. What is more, another 31% of banking apps had less severe security issues with 44% offering adequate security.

Mobile banking apps actually fared well in comparison to social networking and retail apps – none of these passed the security test – and only 9% of productivity apps made the grade. However, it is clear that banking apps are nowhere near secure enough when you consider the potential fallout from having banking details compromised.

And when one considers the predictions that as consumers move more of their banking and shopping activities onto mobile devices, hackers and criminals are going to be increasingly targeting these devices. What is more, they have years of experience in the PC world to draw on, so all indications are that mobile security issues are going to evolve far faster than they did in the PC world.

Surely banks and developers should have learnt these same lessons and be keeping ahead of criminals? Unfortunately, several factors about the current mobile development landscape mean that security is left to the last minute, or not even considered at all, rather than being a priority from the start. These factors include a focus on speed to market and grabbing marketshare, outsourced development projects running over time and budget, and hiring software developers with little security experience.

Beefing up mobile security

As ever in the fragmented mobile market, it is important to understand the various security capabilities of different mobile technologies and to offer transactional services accordingly:

USSD

USSD offers the least amount of security, with weak encryption capabilities to protect information sent over the mobile network and several inherent security issues with the technology itself. No matter how well a USSD service is implemented, it can never offer adequate levels of security so should be reserved for more basic services.

Mobile Web

Despite including SSL (secure sockets layer) encryption, security on the mobile Web is also problematic. For a start users have to check that their browser trusts the site by looking for clues that differ from browser to browser. Also in many cases and especially on older phones, the certifying authority has already been hacked. So despite the browser indicating that a site is trusted, it is in fact unsecure.

HTML5

Unfortunately, the introduction of HTML5 is going to do nothing to improve security on the mobile Web. Simply put, the specifications have not considered security at all and new features, such as local storage, make security levels on the mobile Web significantly worse than the status quo.

Applications

Mobile applications have the potential to offer the highest levels of security, but only if this is implemented properly. Too often apps are implemented without utilising security features, or are outsourced to software development teams with no security experience or knowledge. Then factor in variances across different operating systems and the fact that when under time or budget pressure, security becomes the last concern.

Two things need to happen to provide customers with an adequate level of security when it comes to banking applications, both to avoid disaster and also to ensure that customers have the same level of confidence in the bank, irrespective of the channel they are using.

Firstly, inherent security flaws need to be mitigated as far as possible. So rather than rely on standard SSL security and certification authorities on Web browsers, run a standard, validated security stack that you know has not been compromised. Consider what data is being stored locally and do not store or transmit passwords and other sensitive details as plain text.

Even if inherent risks have been mitigated, only offer services suited to the functionality, security capabilities and user experience of each channel. So, for example, USSD should only be used for non-critical transactions such as balance statements, while a well-implemented app can be trusted to handle more complicated payments and transactions.

Developing mobile services using a mobile enterprise application platform (MEAP) with a built-in, externally verified security stack is the best way to deliver the most suitable service for a mobile channel while still remaining conscious of the channel-specific security concerns.

Wilter du Toit, CEO Virtual Mobile Technologies
Wilter du Toit, CEO Virtual Mobile Technologies

For more information contact Virtual Mobile Technologies (VMT), +27 (0)21 424 7818, [email protected], http://ramp.virtualmobiletech.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.