How safe are your mobile banking apps?

1 June 2012 Information Security

Not very, based on the findings of a 2011 study by digital forensics and security firm, viaForensics. According to the study, 25% of the mobile banking apps tested did not provide adequate security: passwords, partial credit card details, payment history and transaction details were easily retrieved from the handset. What is more, another 31% of banking apps had less severe security issues with 44% offering adequate security.

Mobile banking apps actually fared well in comparison to social networking and retail apps – none of these passed the security test – and only 9% of productivity apps made the grade. However, it is clear that banking apps are nowhere near secure enough when you consider the potential fallout from having banking details compromised.

And when one considers the predictions that as consumers move more of their banking and shopping activities onto mobile devices, hackers and criminals are going to be increasingly targeting these devices. What is more, they have years of experience in the PC world to draw on, so all indications are that mobile security issues are going to evolve far faster than they did in the PC world.

Surely banks and developers should have learnt these same lessons and be keeping ahead of criminals? Unfortunately, several factors about the current mobile development landscape mean that security is left to the last minute, or not even considered at all, rather than being a priority from the start. These factors include a focus on speed to market and grabbing marketshare, outsourced development projects running over time and budget, and hiring software developers with little security experience.

Beefing up mobile security

As ever in the fragmented mobile market, it is important to understand the various security capabilities of different mobile technologies and to offer transactional services accordingly:

USSD

USSD offers the least amount of security, with weak encryption capabilities to protect information sent over the mobile network and several inherent security issues with the technology itself. No matter how well a USSD service is implemented, it can never offer adequate levels of security so should be reserved for more basic services.

Mobile Web

Despite including SSL (secure sockets layer) encryption, security on the mobile Web is also problematic. For a start users have to check that their browser trusts the site by looking for clues that differ from browser to browser. Also in many cases and especially on older phones, the certifying authority has already been hacked. So despite the browser indicating that a site is trusted, it is in fact unsecure.

HTML5

Unfortunately, the introduction of HTML5 is going to do nothing to improve security on the mobile Web. Simply put, the specifications have not considered security at all and new features, such as local storage, make security levels on the mobile Web significantly worse than the status quo.

Applications

Mobile applications have the potential to offer the highest levels of security, but only if this is implemented properly. Too often apps are implemented without utilising security features, or are outsourced to software development teams with no security experience or knowledge. Then factor in variances across different operating systems and the fact that when under time or budget pressure, security becomes the last concern.

Two things need to happen to provide customers with an adequate level of security when it comes to banking applications, both to avoid disaster and also to ensure that customers have the same level of confidence in the bank, irrespective of the channel they are using.

Firstly, inherent security flaws need to be mitigated as far as possible. So rather than rely on standard SSL security and certification authorities on Web browsers, run a standard, validated security stack that you know has not been compromised. Consider what data is being stored locally and do not store or transmit passwords and other sensitive details as plain text.

Even if inherent risks have been mitigated, only offer services suited to the functionality, security capabilities and user experience of each channel. So, for example, USSD should only be used for non-critical transactions such as balance statements, while a well-implemented app can be trusted to handle more complicated payments and transactions.

Developing mobile services using a mobile enterprise application platform (MEAP) with a built-in, externally verified security stack is the best way to deliver the most suitable service for a mobile channel while still remaining conscious of the channel-specific security concerns.

Wilter du Toit, CEO Virtual Mobile Technologies
Wilter du Toit, CEO Virtual Mobile Technologies

For more information contact Virtual Mobile Technologies (VMT), +27 (0)21 424 7818, [email protected], http://ramp.virtualmobiletech.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Managed security solutions for organisations of all sizes
Information Security News & Events
Cyber attackers have become significantly more sophisticated and determined, targeting businesses of all sizes. PwC’s Global Digital Trust Insights Survey 2025 Africa and South Africa highlights the urgent need for organisations to implement robust cyber risk mitigation strategies.

Read more...
Data resilience at VeeamON
Technews Publishing SMART Security Solutions Infrastructure Information Security
SMART Security Solutions attended the VeeamON Tour in Johannesburg in August to learn more about data resilience and Veeam’s initiatives to enhance data protection, both on-site and in the cloud.

Read more...
Troye exposes the Entra ID backup blind spot
Information Security Infrastructure
If you trust Microsoft to protect your identity, think again. Many organisations naively believe that Microsoft’s shared responsibility model covers Microsoft Entra?ID – formerly Azure AD – but it does not.

Read more...
Secure data protection without hardware lock-in
Infrastructure Information Security News & Events
New Veeam Software Appliance empowers IT teams to achieve instant protection with Veeam’s fully preconfigured, software-only appliance, delivering enterprise-ready simplified deployment and operational efficiency, robust cyber resilience.

Read more...
Check Point launches open, vendor-neutral MDR services
Information Security News & Events Products & Solutions
New Check Point MDR 360° and MXDR 360° offerings deliver 24/7 managed continuous threat monitoring protection across endpoints, cloud and network environments with built-in identity threat detection and 160+ integrations across hybrid, multi-vendor environments.

Read more...
Credential theft surges in South Africa
NEC XON Information Security
NEC XON issues a critical cybersecurity warning about the dual threat of massive credential theft and AI-powered cyberattacks sweeping across the region, with an increasing number of incidents and evolving threat tactics.

Read more...
Want effective Attack Surface Management? Think like an attacker.
Information Security
Effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure by knowing their environment, deploying a structured approach, leveraging capable tools, and addressing both internal and external risks.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
POPIA non-compliance puts municipalities at risk
Information Security Government and Parastatal (Industry)
Digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.