The E-commerce sphere is experiencing high demand all over the world. Mobile banking became one of the most popular spheres of electronic commerce. And recently it’s getting more and more significant. Now, almost every Internet user is a client of a bank. So, apps allow executing any transaction without going into a branch bank.
However, the weak point of any banking app is its security level. To make it secure we consult the necessary key features that are discussed below.
It’s important to remember that security has to be implemented at every stage of development. There are particular policies of the use of cryptographic keys and software lifecycle. The standards like NIST SP 800-53 should be used.
Confidential information should be recorded in the app catalog and be shown via UI. It should also be copied into the backup. This type of information shouldn’t be stored locally on the mobile phone. The data has to be distracted from the remote endpoint when it’s necessary and located in the memory. If the data has to be stored locally it has to be encrypted with the key received from the repository that needs authentication.
A mobile app shouldn’t rely on symmetric cryptography with strictly encrypted keys as the only encryption method. Cryptographic primitives for a certain case should be used.
If an app provides access to the remote server, the form of authentication is executed at the remote point. For example, the authentication by a user name or password. When using session management with the password recording the remote endpoint should use randomly generated session identifiers to authenticate client requests without sending users ID. If the token-based authentication without password recording is used, the server uses the token recorded with the help of a secure algorithm.
The app must inform users about all actions with their accounts. Users can view a list of devices, detailed information, and block selected devices.
Two-factor authentication is a mandatory component of a modern banking application. Only after passing the second factor, the user will be able to log in. The second authentication factor must be implemented on the remote endpoint. The length of the second-factor code (SMS) must be 6 or more characters.
Another important feature is masking information in the screenshot when the app is folded. If the user tries to send a screenshot of the app to someone, they will see a blurry screen instead of clear data.
Testing and Support
You must use SAST tools or Composition Analysis Tools in the CI/CD process. Static security analysis tools make it possible to improve the security of the application under test and reduce the impact of defects on its lifecycle.
We recommend that you sign an SLA (Service-level Agreement) to be able to fix security issues. This document defines all the rights and obligations of the client and the contractor.
Security Audit for the iOS Platform
There are special features for implementing the security of a banking application for iOS.
- The implementation of API-level security in the iOS app should include checking SSL certificates for critical information (internal addresses, service domains, test benches, etc.). The developers should also implement mechanisms for encrypting HTTP connection traffic based on the TLS Protocol. TLS settings must meet these recommendations or be as close as possible to them if the mobile OS does not support the recommended standards. The application must verify the remote endpoint's X. 509 certificate when installing a secure channel. Only certificates signed by a trusted certificate authority are accepted.
- Using a KeyChain to store critical information (username, password, credit card information, etc.). This technology allows you to save credentials on macOS and iOS operating systems in a secure form.
- NSUserDefaults should only contain non-key application settings (language, time zone, keyboard layout, etc.).
- It's needed to free up the memory allocated for storing critical data.
- Each time the complete session termination should occur. After the session termination, all client information from the device must be deleted (Cookies, Keychain, etc.).
Security Audit for the Android Platform
- The backup settings must specify which information should be sent to Google Cloud.
- Use KeyStore to store critical information (login and password, credit card details, etc.).
- Provides for complete termination of the application session.
- After the session termination, all client information from the device must be deleted (Cookies, KeyStore, etc.).
Our Expertise for your Business
We are experts in the development of secure mobile applications and have experience in creating mobile banking applications. Our team also developed a secure messenger that uses modern cryptographic algorithms to ensure the security and anonymity of users. Thanks to end-to-end encryption technology, messages were only available on users' devices and hidden from the app's servers and other parties.
So, if you want to make your app and mobile banking high-quality and secure, write to us right now and tell us about your project!