Although mobile applications provide users with easier ways to gain access to critical information on the go, these apps can quickly turn into a nightmare, in cases of breaches.
In order to provide immediate access to financial data for users, apps need to be balanced perfectly between convenience and security. When considering financial mobile apps for your financial institution, make sure you follow these tips to remain safe:
#1-Protect Sensitive Data
Most financial applications either use a person’s bank account details or card numbers to establish identity.
This data is constantly transmitted over the internet to conduct transactions. There should absolutely be no reason to store this data on the device or send it over the wire. Applications should always make use of a different key for identifying a user account.
A prominent number of smartphone users will turn off the PIN access to the device if they have enabled security for the device itself. It is important to have the financial application check if the user ever turns of the password for their device. If they do so, the user should automatically be prompted to turn it back on.
It is also important to constantly re-evaluate users when they are conducting money transfers, paying bills, or making peer to peer payments. Doing this will not necessarily slow down the user experience, but will work as confirmation for the action to be implemented. If the applications notices any suspicious activity from the Web services side, it should push an additional question to the user before the action can be completed.
#3-Data Services Access
All data should be requested over a SSL to enhance encrypted communication. This SSL certificate should at least be of 256-bit encryption strength. Furthermore, the native application client should utilize OAuth, which allows applications to connect to data services without having to store username and password. This way the sending of credentials is kept to a minimum.
#4-Images Of Checks
Check images consist of all user data like account numbers, routing numbers and billing addresses. Encryption of large images on a device is slow compared to text data. It is highly recommended that images of checks that are stored for remote deposit capture should be forwarded to the server immediately after being taken. The check image should never be cached or stored in the device to be retrieved later.
These basic practices are the heart of what we do at Lean Security to make sure your mobile and web applications stay safe.
Get in touch with us at +61 (0) 2 8231 6635 or drop us an email at firstname.lastname@example.org to learn more about our security testing services.