Mobile Banking Application Development

Thursday, September 09, 2010

Brent Huston

E313765e3bec84b2852c1c758f7244b6

Lately, we have been looking at a lot of banking apps and front ends for the iPhone, Android and other mobile devices in the lab.

Our testing thus far has shown some great results and it seems like a lot of banks, credit unions and other financial institutions are interested in having an “app” for their customers and members. Many of these apps are well designed, deep and rich. Many are simply canned front ends to existing web page content and functionality. A few are just plain horrible.

Here are three tips for organizations to keep in mind when coding their banking and financial apps for the mobile devices.

1. The mobile devices are not PCs. The apps should be light weight, clean and easy to use. Usability is tied to security in this case, because of errors. If your app has tiny little buttons with confusing text, no confirmation dialogs and lacks other basic usability features then you make it easier for users to make mistakes, create bad transactions, get confused and other issues would could constitute a risk for your business and your users. Don’t design for a PC monitor. Make sure your designs are usable on the appropriate size screens and with appropriate space for human digits.

2. Don’t allow users to store their credentials in the app or its underlying data structures. Many mobile phones and such remain woefully unsecured. Even where the vendor has provided for basic security controls for the devices, many users do not use them. Plan ahead for this. The app has to be convenient, but it shouldn’t let the users place undo risk on themselves. If you allow them to store logins, or even a digital certificate, make sure they can’t also store at least 1-2 other pieces of credentials between uses. If someone just picks up their device, they should NOT have access to the users accounts.

3. This goes without saying, but don’t forget encryption. Just because an application uses the cell network, does not mean that you don’t need SSL. (I’m looking at you two developer groups in the last 90 days, you know who you are.) No matter the network, protect your transactions and data streams with strong crypto. The mobile devices can handle it. They can do enough lifting to handle SSL or they shouldn’t be running a banking app. Like Nike says, “Just Do It!”

There you have it. Three basic ways that you can help increase the safety and capability of your financial services app on the iPhone, iPad and other mobile platforms. If you have done these three basics, then you are off to a start.

The next crucial step is to get your app and the back-end processes checked via a risk assessment and security test. Give us a call if you need assistance or want us to drop it into our testing lab process. We are seeing quite a few of these days.

Cross-posted from State of Security

Possibly Related Articles:
7896
Webappsec->General
Banking
Wireless Web Application Security
Post Rating I Like this!
5c857bc159e9c361aebbb1eab4c87c3f
Mister Reiner Encryption is a must! Given that some carriers are getting out of providing unlimited data plans, many users are jumping on WiFi hot spots as soon as their phones detect that they are available.
1284060849
85ac6feb584b665e85664974c546cfec
Ray Tan Usability,encryption are necessary for mobile banking user, of course, we should never save our login information on the mobile.
1284107048
D5e39323dd0a7b8534af8a5043a05da2
Fred Williams I use my browser to bank but I just can't bring myself to bank on my mobile device. I'll wait till I see some concrete and fully tested solutions.
1284134125
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.