“I don’t bank on my phone” cries out our VP for Finance, “it’s not secure!” We must be at another industry event then – it’s a statement he regularly makes.
We’ve always believed that Mobile Banking was a wild west when it comes to security; but we wanted to test that belief with some real data. To better understand the current state of security within the mobile bank industry, UL and Inside Secure undertook joint research to give a snapshot of the industry today.
Applications were selected by a criteria designed to give an even split across geographies, and between challenger and established banks. These applications were then given to the security labs within UL and Inside Secure. The labs used automated tools and expert static analysis to score the applications.
Benchmarking and Ranking
There is really only one standard in mobile security and that comes from the payment schemes. They require every mobile payment application to be tested by an independent lab to ensure it meets a given criteria. The research used this standard as a benchmark and built a ranking system around it.
The applications were scored A to E – giving similar visual feedback to energy rating systems used when buying white goods. With A being the gold standard, B being payment equivalent and E meaning little or no security.
The results of the research should be a wake-up call for everyone development mobile banking applications. No applications scored A or B, the majority were D – basic security only.
Understanding the Banks
While the results are worrying, they should not be taken as an indication that banks do not care about security. Quite the opposite – they invest heavily. They need to protect their biggest asset: trust.
A clue to what has gone wrong can be found in looking at what was good in the results: protecting networking. Good practise was generally applied here: strong encryption was used, the latest networking protocols enforced, and certificates pinned to ensure the application was talking to a known server.
Why does this reveal what has gone wrong? Well, it shows the mind-set within the banks when it comes to security. Banks have lots of expertise in securing their back-end systems – they do it well. Where they struggle is in realising that mobile is different. It requires a subtly different mind-set, different tools and different techniques.
There is no need to re-invent the wheel – we can learn from the good practice found in protecting payment applications. A few simple steps can make all the difference:
- Banks should bring in partners with a strong background in mobile security to augment their existing security expertise;
- Ensure that sensible development procedures are in place that encourage good security practises – these do not have to be onerous and in most cases, are good practise for any development team;
- Secure the mobile application using proven techniques like strong obfuscation, anti-tampering and whiteboxing;
- Have an external security lab pen-test the application and wider ecosystem to given confidence that no gaps have been left.