Challenges of financial apps
In 2012, IBM's resource portal for developers, DeveloperWorks, covered in one of its articles the discovery by the companies of the financial sector of the fact that mobile technologies were an "opportunity to extend their reach to the customer and improve their differentiation".
According to the data available then, in 2015 the volume of development of apps for mobile devices would surpass that of all other platforms, and the global number of users of mobile banking and associated services could increase up to 894 million users in 2015 (representing an annual growth of a 59.2%).
The development of mobile applications also involves having to face many challenges. The first one is facing the variety of the mobile ecosystem, providing support for the multiple different combinations of devices (smartphones, tablets, etc.) and operating systems (Android, iOS, Windows, Firefox OS… and their different variants) owned by those millions of users, while facing the costs of testing the apps in all possible scenarios and maintaining consistent development environments between the different members of the team.
Of all the challenges... the first one is security
The development of financial apps probably requires an urgent review in all its aspects, but security, however, is the main challenge for developers of mobile banking apps. In the past, the technological supervisors of the major banks had a relatively simple task at hand: building a security perimeter around the centralized computer systems of the company, but mobile apps have changed everything... starting with breaking that perimeter.
And unfortunately, the security challenge is one that has not been properly overcome, as proved last year by the research performed by IOACtive which concluded that 40 apps for iOS of 60 major banks all over the world had at least one security gap:● 90% of non-secure apps connected without proper SSL encryption, which allowed attackers to intercept their traffic and inject malicious JavaScript / HTML code .
● 70% lacked alternative authentication options to mitigate the risk of stolen identity attacks.
● 50% used an iOS function called UIWebView (designed to display Web content within native applications) that has proven to be insecure, making the apps vulnerable to JavaScript injections and exposing the users to actions such as sending of SMS or e-mails from the victim's device.
● 40% did not validate the authenticity of the digital certificates received from a server.
● 20% did not take advantage of the security functions of the operating system designed to limit the risk of attacks due to memory corruption.
● Lastly, the file system of several apps used unencrypted SQLite data baseseven though they contained sensitive information such as details of the customer's bank account and transaction history.
At about the same time, Pretorian conducted a similar study, extending it in this case to 275 mobile banking apps offered by the 50 major financial companies, the 50 leading regional banks and the 50 main cooperatives in the United States. Additionally, iOS and Android apps were analyzed in this case. The result? 80% of them had shortcomings.
The times of the central security perimeter has gone by. In fact, the spirit of the times of this sector seems to be quite the opposite: users increasingly demand more access options, faster and easier to use. In the end, they are the best way for banks to reach more customers and differentiate themselves from their competition. But if the great central wall is to be replaced with a network of watchtowers, the building methods must change. And do so at the same speed.