Mobile applications provide users with access to critical information while on the go. To empower users for quickly accessing their financial data, there’s a balance that needs to be made between convenience and security. While performing mobile application security audit for a mobile solution for Banking, Financial or BFSI institution, ensure that these best practices are in place, so your client’s app remains safe and secure for its customers to use.
- Device Authentication: A native app knows a phone’s carrier, model number, IMEI number and phone number. It stores most of this information on a SIM card. When a BFSI/Banking app is installed, and a request for activation is received, the authenticity of the user should be identified using additional steps. Regardless of credentials, services that allow a user to consume data should validate that the requesting device is from a known device list or not.A text message, phone call or email should not be used to pass a token to the user for this initial setup.
- Banking Data: Many BFSI/Banking applications use a person’s bank account or credit/debit card number to establish an identity which is sent over the Internet each time a new transaction happens. There is no reason for storing this data on the device! Applications should always use the product name, rather than passing a user’s account number back and forth over the Internet.
- Mandatory Passcode: It is important to make sure that the application checks if the user disables the security settings on the device and should automatically prompt to re-enable the device security. It is also important to re-validate a user when they are transferring funds or performing a similar financial transaction after the action has been submitted.
- Images: Images of bank checks contain user’s confidential information such as account number. It is recommended that images of bank checks should be sent to the server immediately after the photo is taken. The Bank Check image should never be stored or cached on the device for later retrieval.
- Storing Text Data: BFSI/Banking applications can quickly show account balance and previous transactions which are stored in a split database. Some of the developer tools, allow access to this underlying database. These tools can be used to access data even if a password exists on the device, containing information that is usually asked by Phone Banking Officers for authenticating a user over a phone call for processing various requests such as password change, for example, account number and last four transactions. To avoid this, it is better to use enhanced encryption standards to encrypt the information of most recent transactions.
We, at Avyaan, make sure that these checks are given due importance during Testing of Your Mobile Application Security. For details, consult Avyaan.