Focus on app security design to gain client trust


by Duncan MacRae| 16 January 2014

Vulnerabilities have been found in 40 personal banking apps from 60 of the world's largest banks.

Banks can regain the trust of their customers by placing more security focus on mobile banking design, one security architect has suggested.

Last week, a researcher found numerous vulnerabilities in 40 personal banking apps from 60 of the world's largest banks.

Testing just iOS devices, Ariel Sanchez from IOActive discovered that 90% of the apps contained non-SSL links, meaning a hacker could potentially intercept the traffic and inject random JavaScript/HTML code in order to create a fake login phishing attempt.

John Smith, senior security architect for EMEA at application security tester Veracode, believes that following secure design and coding principles as part of the development process would significantly raise the security bar when it comes to mobile banking apps.

He said: "As part of this comprehensive testing of both the client side and server side is essential in validating that the security practices are being followed and are achieving the aim of secure software.

A number of studies over recent years have shown that security concerns lead consumers to shun online channels and this is likely to be true of mobile apps as well.

Smith added: "As banks are trying to exploit lower cost customer engagement and using technology to differentiate themselves it is essential that customer confidence is high - so yes, this should be a concern for the banks.

The advantages of multi-factor authentication - for example, something you know and something you have - are that they make it much harder for an attacker to impersonate a valid user. However, such technology does typically have an impact on usability and costs so a balanced approach should be taken based on the risks associated with the app."

In the case of full transactional banking apps, the risk will be high and so the authentication mechanism should be proportionately high strength.

"Veracode's experience of testing mobile apps on both Android and iOS however, shows that both platforms can be equally vulnerable to attack," said Smith

Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

716 people like this.
1528 people follow this.

Security Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.