Why the finance sector must prioritise mobile security over innovation
Article on behalf of: Laurent Gautier, co-founder and President, Ilex International
With the number of smartphone users rising to over two billion across the world, it cannot be denied that greater mobility offers huge business growth potential for financial institutions. With mobile apps becoming an integral part of both our personal and professional lives, the financial sector is learning to embrace mobile with almost all major banks, insurance companies and investment banks offering mobile apps to customers.
While many financial institutions have been relatively quick to adopt mobile, some are still hesitant. This is understandable with mobile apps increasingly vulnerable to security breaches. The consequences of putting innovation ahead of security can be disastrous and cost financial organisations a lot of time and money, let alone dealing with data regulatory and compliance issues..
A recent study carried out by Wegilant revealed that over 70 percent of banking apps in the Asia-Pacific region are vulnerable to attack and data leaks on the Android operating system. These apps are ideal targets for hackers, as they contain customers’ confidential financial data.
Some of the most common security breaches on mobile apps include:
- Theft of data stored on the mobile (personal contacts, files, e-mails, etc.)
- Data leakage: The improper implementation of an app code can result in sensitive information being leaked from logs and cache – for example, credit card details
- Secret channel: A malicious app spies on a genuine app; it is then able to communicate the genuine app’s sensitive data to the malicious one’s command and control centre
- Hardcoded sensitive information: Reverse engineering an application exposes sensitive code and sometimes even credentials to key servers
- Clickjacking on mobile environment: well known on the web, this technique involves impersonating the user interface to gain trust and/in order to gather confidential information. It is combined with traditional social engineering in order to be more credible
- SQL injection: A code injection technique that exploits security vulnerabilities in an application’s software, SQL is still one of the most common attack methods when it comes to extracting confidential information. It is used to attack data-driven applications and is commonly used in attacks on mobile devices
- Public Wi-Fi: Public, in particular open, Wi-Fi access points are real danger zones and can expose sensitive data on the network if it is not secure
Five simple steps to limit mobile data security risks:
- Don’t store data on your mobile. The storage of sensitive information is a key aspect of mobile app security. If storing sensitive information is absolutely necessary, it is crucial that the data is encrypted. The type of encryption to use, for example a secure data container or third party encryption, depends on the type of sensitive information you need to store on the mobile. Never store sensitive information in the apps logs, cache (http requests), local databases (SQLLite), or in the hardcode itself.
- Restrict app permissions to the bare minimum. This is an effective way to limit the impact in case of an attack. Sensitive permissions, such as sending an SMS and GPS positioning must be carefully considered.
- Secure transactions on the network. This relates to particular exchanges between the app and its server. Data, including corporate and personal data, shared between the server and the mobile is often confidential. A strict access and rights management policy must be in place on the server side. All communications must be encrypted, as many users regularly connect to networks that are not secure, such as public Wi-Fi.
- Use existing, safe and strong encryption technologies. On no account use personal cryptography algorithms. During data flow encryption with a certificate (for example, HTTPS), it is essential to verify the validity of the server certificate, the end of validity date, no self-signed certificate and recognised certification authority are points to consider.
- Encrypt the app; this should be done before the application is distributed via stores.
Innovation must not be prioritised over security
Mobile apps are vulnerable to data leaks, yet they continue to multiply in all industries including banking and retail where security is crucial. Due to the time it takes to develop this kind of application, many financial organisations delegate their app development to third parties, many of whom have no security expertise and mass-produce mobile apps on a daily basis without implementing the necessary security protocols.
All mobile apps, however innovative, must be developed with security issues front of mind. Existing security technologies can be integrated to limit the risk of attacks. To stem the barrage of threats in the mobile world, it is crucial that all actors in the finance sector work together to keep users’ data secure. Organisations must ensure mobile apps are correctly secured before releasing them on the market. In a highly competitive world, the banks and finance organisations who will fully benefit from the rise of mobiles will be the ones who accept that digital innovation and security are not mutually exclusive.