By Matt Graham, Technical Consultant at Apadmi
Recent reports surrounding major security flaws in some of the top mobile banking apps point to a number of issues that have left financial services organisations and their customers exposed to loss of data, attack and theft. Exposés by major security firms, such as IOActive, have laid bare weaknesses in the applications of some of the world’s largest institutions which range from insecure links to a general lack of diligence in the testing of apps launched onto the market.
Some may say that this is evidence of the financial sector’s inexperience in the mobile space, and a development community that isn’t on the ball in being able to translate the strict regulations surrounding banking and transactions into applications that protect user and institutional data.
User frustration and the real threat of exposing customer data and the back end banking infrastructure add up to a ticking time bomb. Security and design are gradually improving, but there is still a sense that it will take a major crisis to accelerate the move to better more secure applications.
Negotiating the Hazards
There are a number of specific areas that financial organisations (and the less savvy app developers) need to be on top of to close down security risks, bring excellent user experiences and improve the overall quality of apps.
Testing and Auditing
Use a third party penetration testing firm, let them liaise with your developer so they can build in security measures from day one, rather than reactively during User Acceptance Testing (UAT).
Think about the human element – security weaknesses go much further than insecure code. Where will the development code be held, is the developer’s premises secure, are project files and other information kept on insecure cloud storage sites?
Communications with Servers
The pipe of data between device and the backend system can be a real weak point. HTTPS is a given, but requires care in setting up, particularly in respect of certificate trust. Additional security or encryption may also be appropriate.
Multi-factor authentication, which looks for multiple independent items of information when verifying users, is standard for banking websites, so why don’t all apps request a similar level of security at sign-in?
The commissioning business should also interrogate the full architecture of the application to check that the data flowing between device and servers is secure. Any data that goes through third party systems will be subject to compliance and regulation, e.g. PCI.
As well as exposed data, apps that leak details of their inner workings can open up a litany of hacking opportunities. To combat this, all logging should be removed from the code before the release builds are made and a range of anti-debugging tools should be used such as PIE and Stack Smashing Protection.
Local Data Storage
There is an easy rule to remember when holding data locally on devices: store as little as possible and encrypt what is there. Leaving data on the device is a bit like leaving your purse on a bus seat. Configure the app from the start so that it can’t run on jail broken or rooted devices.
Design and UI
Prefer native controls to web views. Whilst a native control cannot ask for additional information, a compromised web-view can ask for whatever information the attacker might be interested in and it will appear to be coming from a trusted source. If a web view is to be used, the security of the data connection must be very carefully considered.
Very few financial services applications address the need for good design. The presentation of forms and data needs more thought and care than is usual during the design stages.
Once downloaded, the app will become the main contact point for many customers and will highly influence brand perception. It just takes a quick look at the app store ratings of some of the UK’s major banks to see that customers are not happy with what’s on offer.
The Weakest Link?
Apps should always be designed with real-world usage in mind; whether that be multi-user scenarios, where tablets may be passed around friends and family or the risk of people opening up their device to attack from spyware.
Counterfeit applications are an increasing threat and businesses must make it easy for users to determine which app is authentic. App stores should also be monitored for fake and cracked apps.
Ongoing Health Checks
Even the best designed, most highly tested app can become insecure and bugs can emerge over time. Maintaining on-going relationships with pen testers and app developers will ensure that apps remain secure throughout their lifespan. Old versions of apps can put security at risk, especially if they become unsupported. Consider building in the capability to enforce user upgrades. This kind of foresight can really pay off if there is a major breach.
Choose Your Partners Carefully
Building a secure transactional app requires sector experience, an understanding of legislation and the importance of end-to-end security. Those financial sector organisations looking to develop an app shouldn’t take short cuts or look for a cheap and easy solution. The risks of failure are too high when it comes to customer data, systems integrity and threat to reputation.
Banking on the Future
Technology is disrupting the financial sector and lowering barriers of entry. Entrants have an opportunity to deliver innovative solutions through new applications that streamline the processes involved across much of the financial services sector.
The next 12 months will see new products and services launch with digital and mobile wallets, contactless, and mPayments gaining wider adoption. Incumbents need to step up to the mark and become more agile in delivering their services in new ways as well as being able to reassure customers that they know what they are doing in terms of technology.
However, whether an established player or an industry challenger, the basics need to be in place. Perhaps the way to do this is to introduce standards and better methods of collaboration between the financial services sector and the development community – we at Apadmi would welcome this kind of initiative. By working together we can lock down the risks and deliver secure AND customer friendly banking for the future.