How To Test Security And Vulnerability For A Mobile Banking Application

Mobile banking offers great convenience to consumers in modern times. While online banking has been around for a long time, it doesn’t feel too long ago that online banking really took off. Thus, the transition to mobile banking has been almost seamless.

While many popular bank giants offer official banking apps, there’s a growing list of mobile-only banks. These banks have no physical branches, being purely online. They integrate web technology to enhance security while attracting new customers through social media.

Fidor Bank, for example, is a Germany-based mobile-only bank. Customers can log-in via Facebook, and the bank even offered a “like-based” interest rate. The more “likes” the bank received on its Facebook page, the higher their interest rate increased. That’s just one example, as we said, there is quite a growing list of digital-only banks that are rising up to challenge traditional branch-based banks.

One concern, however, is obviously online security. Financial institutions are a prime target for hackers, and consumers are also at risk for identity theft and stolen passwords. Thus, mobile banking apps need to be as secure as possible, to protect both the bank and the consumers alike.

Mobile banks should also do their part in raising consumer awareness about threats and viruses, such as pointing consumers to this guide for removing iPhone viruses. When consumers are more aware of common viruses and threats, the financial institution will not have to deal with as many fraud and identity theft claims.

There are several good ways a bank can enhance the security of its app and overall protection for

  • Add end-to-end encryption: Also known as E2EE, end-to-end encryption offers a strong layer of security by encrypting data transmitted from a user’s device, which only the recipient can decrypt. You may be familiar with E2EE being offered in chatting apps like WhatsApp. The idea is that even if hackers get into the WhatsApp network, they won’t be able to steal private chats between users – because not even
  • Multi-factor authentication: The most commonly known form of MFA is two-step authentication. That is when, for example, you receive a login token/passcode via email or SMS text when trying to sign into a website, to prove it is really you. The idea is that you would be the only person with access to your email, thus only you can retrieve the login token. Of course, it’s not entirely secure. If someone stole your device, for example, and now had access to all of your accounts, 2-step authentication becomes moot. There are other methods of a token generation which can be a bit safer, such as RSA SecurIDs, wireless tags, and USB tokens.
  • Encourage NFC-embedded SIM cards: This is a combination of a SIM card with an NFC chip, which can store your bank card information. You can then pay for purchases at physical locations through your phone. Many retail outlets support technology. The benefit of this is that consumers won’t need to carry a physical credit card, reducing the risk of lost or stolen cards.
  • Biometric authentication in the app: Many phones today offer biometric authentication, such as fingerprint unlocking and facial recognition. It’s possible to build features into apps that take advantage of these security measures, and it offers a good layer of security on top of traditional passwords. Biometric authentication should not be relied on as the sole token identifier, it needs to be used as a supplemental security measure.

The above are just a few simple examples of how banks can enhance the overall security of mobile banking for consumers. There are many other methods, which IT and security specialists will be familiar with. When building a mobile banking app, or any app that requires strong security, it’s best to hire professional network security consultants who are familiar with traditional hacking methods, and pen-testing (penetration testing / ethical hacking).

Some of the common vulnerabilities that online banks can fall victim to:

  • Cross-site scripting: The app is tricked into accepting a malicious script from a trusted website, which allows criminals to scrape data such as user credentials.
  • SQL injections: An attacker will inject SQL commands into data entry fields, to trick the application into returning sensitive data.
  • Command injections: A vulnerable app can be forced to run commands on the user’s systems. This typically happens when there is a lack of input validation security. The app may pass unsafe data supplied by the user, such as cookies and web forms. Scripts can then run by attackers on the user’s device, by taking advantage of the app’s heightened privileges.
  • Information leaks: This happens when data is improperly encrypted. Attackers can sniff out data packets containing improper encryptions, which can contain user credentials or even credit card data.

Again, this is just a very small example of some common vulnerabilities in mobile banking apps. As for protecting against vulnerabilities, and testing the overall app security, there are many steps to take. As we said earlier, it’s always best to hire the best possible security and pen-testing consultants, but the overall gist of security testing for mobile banking apps should go like this.

  • Automated security testing over multiple devices and locations.
  • Using a cloud-based testing lab which allows uploading locations.
  • Dynamic analyses in environments that can verify security issues.
  • Assessment of automated code by IT consultants.
  • Assessing the app with binary static analysis, to expose malicious vulnerabilities.

If you’re a business owner, you might find this guide on cybersecurity useful, particularly when it comes to taking the relevant steps to protect your business.