printer friendly version

How safe are your mobile banking apps?

Not very, based on the findings of a 2011 study by digital forensics and security firm, viaForensics. According to the study, 25% of the mobile banking apps tested did not provide adequate security: passwords, partial credit card details, payment history and transaction details were easily retrieved from the handset. What is more, another 31% of banking apps had less severe security issues with 44% offering adequate security.

Mobile banking apps actually fared well in comparison to social networking and retail apps – none of these passed the security test – and only 9% of productivity apps made the grade. However, it is clear that banking apps are nowhere near secure enough when you consider the potential fallout from having banking details compromised.

And when one considers the predictions that as consumers move more of their banking and shopping activities onto mobile devices, hackers and criminals are going to be increasingly targeting these devices. What is more, they have years of experience in the PC world to draw on, so all indications are that mobile security issues are going to evolve far faster than they did in the PC world.

Surely banks and developers should have learnt these same lessons and be keeping ahead of criminals? Unfortunately, several factors about the current mobile development landscape mean that security is left to the last minute, or not even considered at all, rather than being a priority from the start. These factors include a focus on speed to market and grabbing marketshare, outsourced development projects running over time and budget, and hiring software developers with little security experience.

Beefing up mobile security

As ever in the fragmented mobile market, it is important to understand the various security capabilities of different mobile technologies and to offer transactional services accordingly:

USSD

USSD offers the least amount of security, with weak encryption capabilities to protect information sent over the mobile network and several inherent security issues with the technology itself. No matter how well a USSD service is implemented, it can never offer adequate levels of security so should be reserved for more basic services.

Mobile Web

Despite including SSL (secure sockets layer) encryption, security on the mobile Web is also problematic. For a start users have to check that their browser trusts the site by looking for clues that differ from browser to browser. Also in many cases and especially on older phones, the certifying authority has already been hacked. So despite the browser indicating that a site is trusted, it is in fact unsecure.

HTML5

Unfortunately, the introduction of HTML5 is going to do nothing to improve security on the mobile Web. Simply put, the specifications have not considered security at all and new features, such as local storage, make security levels on the mobile Web significantly worse than the status quo.

Applications

Mobile applications have the potential to offer the highest levels of security, but only if this is implemented properly. Too often apps are implemented without utilising security features, or are outsourced to software development teams with no security experience or knowledge. Then factor in variances across different operating systems and the fact that when under time or budget pressure, security becomes the last concern.

Two things need to happen to provide customers with an adequate level of security when it comes to banking applications, both to avoid disaster and also to ensure that customers have the same level of confidence in the bank, irrespective of the channel they are using.

Firstly, inherent security flaws need to be mitigated as far as possible. So rather than rely on standard SSL security and certification authorities on Web browsers, run a standard, validated security stack that you know has not been compromised. Consider what data is being stored locally and do not store or transmit passwords and other sensitive details as plain text.

Even if inherent risks have been mitigated, only offer services suited to the functionality, security capabilities and user experience of each channel. So, for example, USSD should only be used for non-critical transactions such as balance statements, while a well-implemented app can be trusted to handle more complicated payments and transactions.

Developing mobile services using a mobile enterprise application platform (MEAP) with a built-in, externally verified security stack is the best way to deliver the most suitable service for a mobile channel while still remaining conscious of the channel-specific security concerns.

Wilter du Toit, CEO Virtual Mobile Technologies

Share this article:

Further reading: