By: Dr. Michael J. Garbade
June 10, 2018
5 Best Development Practices for the Security of Mobile Banking Apps
By: Dr. Michael J. Garbade
June 10, 2018
The current trend to “mobilize” banking services is phenomenal, with several leading banks and other financial institutions embracing this wonderful technology to reduce costs, improve customer outreach, and gain a competitive edge.
However, most mobile banking apps are susceptible to hacking. For example, a study by the University of Birmingham in the UK identified serious security vulnerabilities, which could affect millions of banking applications, including those of the leading banks.
Most of these vulnerabilities are due to poor app development practices. Therefore, ensuring you adhere to best programming practices, like those taught by Waqar Ahmed, who is a Certified Ethical Hacker with over four years of experience, could enhance the security capabilities of your financial apps.
Here are five tips that can improve the cyber security of your mobile banking apps.
1. Adhere to the industry security practices standards.
There are documents that stipulate the standards for enforcing security in mobile applications. If you comply with the outlined standards, you can safeguard your mobile banking application from the latest cyber attacks and vulnerabilities.
For example, one such security document is the OWASP Top Ten, which provides awareness on the latest security vulnerabilities in mobile applications. You can use the document to implement secure coding practices in your mobile financial app and stay ahead of the security curve.
2. Implement sufficient authentication.
Weak or insufficient authentication can allow a hacker unauthorized entry to a mobile banking application and ruin the life of the user.
Some of the techniques you can use to reinforce user authentication include implementing two-factor authentication, multi-factor authentication, additional code sent as an SMS or email message, and security questions and answers.
Furthermore, if users are required to provide their bank account numbers before accessing the mobile app, you can hide them or use tokens. Instead of displaying the complete account number on the mobile screen, you can display partial numbers (such as *7684) to maximize the security of this information, especially in public places.
Also, tokens can be assigned to the bank account numbers and given to the users. Since the tokens come with server-side mapping to the actual accounts, they offer increased authentication because they are only deducible to the users and difficult for the hackers to know.
3. Remember that the devil is in the code.
When building your mobile app for banking, security should be ingrained in every line of code you write. If you mess with any line of code, you can introduce flaws, which hackers could compromise to bring the whole application down.
For example, an improperly coded financial app could make it easy for hackers to carry out reverse engineering attacks. To avoid this, you need to make the mobile banking app complex internally, using carefully crafted lines of code.
Furthermore, you can obfuscate the code to prevent hackers from maliciously looking at the inner-functioning of the application.
4. Remember to deal with the devil you know.
When relying on third-party libraries and APIs to add extra functionalities to your mobile banking application, exercise extra caution. Although they may be useful, most of these resources have vulnerabilities—like the notorious HeartBleed—which can send your application to the deepest parts of hell.
Some of the libraries and APIs enable hackers to remotely implant malicious code and cause havoc to the app users. Therefore, it’s essential to probe such resources comprehensively and only go for the well-developed and tested ones.
Better still, just deal with the libraries known to be secure, instead of relying on a new library that promises to offer sophisticated functionalities.
5. Test, test, and test.
Ensuring the security of your mobile banking app is a process that never ends. New cyber threats usually emerge every day, and new techniques are required to tackle them.
You should invest in penetration testing, emulations, and threat modeling techniques to harden your mobile banking application continuously against malicious attacks.
For example, you should continuously test the app to ensure that the exchanging of sensitive information is protected using HTTPS, connections are properly validated using SSL/TLS certificates, and unnecessary legacy sections are removed.
When identified, you need to fix the threats with each update and issue security patches promptly.
Security and reputation are some tenets that are highly regarded in the banking industry. If a mobile app can be the reason for the loss of trust, the consequences to the financial institution can be severe.
Ensuring the cyber security of mobile banking applications is not a feature or a benefit—it is an essential necessity. One loophole could lead to loss of millions of dollars, as well as significant loss of reputation.
Therefore, you should uphold the best development practices from the time you begin programming the first line of code to the last semicolon in the application.