How to Build a Secure Mobile App

While it's a relatively new channel, mobile banking is growing rapidly, and apps are emerging as consumers' mobile solutions of choice. How do you ensure your app is secure?

As is the case with any delivery channel, security is at the forefront for banks as they rush to deploy or enhance mobile banking apps in the fast-growing smartphone market. And while many banks' mobile apps limit customers to basic functions -- checking account balances and transaction histories, finding a branch or ATM location, and initiating transfers -- a new wave of apps is bringing person-to-person payments, remote deposit capture and bill pay to the mobile channel. Simply, the apps are getting smarter and more capable. But with those capabilities comes the potential for greater threats.

"Clearly everyone is concerned about mobile security," says Jacob Jegher, senior analyst for Boston-based Celent's banking group. "But we haven't really seen the brunt of the challenges that could come with mobile fraud. In other words, it's a channel that hasn't been heavily targeted."

But the market is expanding fast, and so is the target for criminals. A February IDC (Framingham, Mass.) report indicated that smartphone sales outpaced PC sales for the first time ever in the fourth quarter of 2010, with 100.9 million smartphones shipped versus 92.1 million PCs. The growth in smartphone sales could translate to more opportunity for customers to access their banks through those devices -- either via apps or mobile browser -- and more opportunity for fraud.

To keep up with the proliferation of devices and customers who prefer downloadable apps, banks often deploy mobile banking applications across multiple platforms -- Apple's iOS, Google's Android, Research in Motion's BlackBerry and others -- and banks have to build for the strengths and weaknesses intrinsic to every device, which adds to the security challenges. Another wrinkle is that these development efforts are creating an entirely new kind of bank channel experience.

"As you look at the back-office systems that are inherently driving online and mobile, they're the same systems," says Keith Gordon, SVP, echannels, fraud and enrollments executive, Charlotte, N.C.-based Bank of America ($2.27 trillion in assets). "But the big difference comes in how our customers are interacting with us. In an online space we've got complete control of that environment; whereas when you look at mobile, we've now pushed that functionality out to the customer."

Developing an app-based mobile banking experience is completely new for many banks, acknowledges Mark Bregman, EVP and CTO of Mountain View, Calif.-based security firm Symantec Corp., who stresses that security should be paramount in the process. "In a way you have to be more systematic in planning for and building mobile banking apps than you did with web-based apps," Bregman says. "On the other side of it, things are moving very fast toward mobility -- if you're a bank and you decide to wait too long, you run the risk of being left behind."

Understanding the Risks

Because mobile banking via downloadable app is a relatively new phenomenon -- the Apple iTunes App Store dates back to July 2008, and the Android Marketplace debuted that October -- the current list of threats is poorly understood, if somewhat short. But that doesn't mean the threat isn't real -- even if the app itself is not the problem.

In the PC-based online banking space, customers are vulnerable to spyware, malware and Trojans, as well as threats such as email phishing. The threats to mobile apps may not be the same, notes Bregman. "Frankly, I think it's going to be less about antivirus in the traditional sense that I'm worried about a bad piece of software getting on a mobile phone," he says. "As mobile banking and mobile commerce become more important, we are going to see other things come into play."

In 2010, for instance, New York-based Citibank's iPhone app was found to be storing customers' data on their phones, with obvious privacy implications. Meanwhile, Google (New York) has had to pull a number of apps from the Android Marketplace built by an anonymous developer who was creating fake bank apps that attempted to exploit information on users' devices in order to commit banking and card fraud.

With these incidents as examples, Drew Sievers, cofounder and CEO of Larkspur, Calif.-based mobile banking provider mFoundry, says one of the important factors in mobile app security is understanding the app marketplaces themselves. While it's relatively easy for anyone to develop and deploy an app for Google Android, the simplicity of releasing an app to the Android Marketplace can in itself pose a risk to customers, who sometimes can't see the difference between an app released by a bank and a banking app built by a third party, Sievers notes. On the other hand, Apple enforces an approval process for all apps released to its iTunes App Store, but this process can slow deployment.

According to Sievers, however, the Apple model isn't necessarily a bad thing. "There are huge benefits to that," he contends. "What I would say is, a lot of developers who don't provide secure solutions -- those guys get held up by the curation of the App Store. But when you look at the Android market and you see apps that are out there pretending to be a bank, or you've got apps just loaded with malware -- it goes to show you there's an inherent value in having a curated system."

Regardless, deploying a successful mobile banking application to consumers is not as simple as programming an "official" banking app and submitting it to the appropriate app marketplace. The issue of understanding the platform upon which the app is developed and making sure to program with that OS's strengths and, perhaps more important, weaknesses in mind keeps coming back.

"They're not the same as your PC," Rick Howard, general manager of VeriSign (Dulles, Va.) iDefense Security Intelligence Services, a network of security professionals, says of mobile devices. "If you're a programmer and you're writing for your Windows box, you have a general understanding of where your files go and where things fit in place. But on a mobile phone, there's not as much transparency there."

With that in mind, BofA's Gordon says the priority when developing Bank of America's mobile apps -- regardless of the mobile OS -- is first and foremost to secure data. "Beyond that we had to make sure that that code -- in the application itself -- was secure," he adds. Whether a smartphone maintains its out-of-the-box settings or is jailbroken or compromised, Gordon says, BofA works to make sure the application code itself is secure. Finally, he continues, it's a matter of getting back to the basics and ensuring that the connection between the customer and the bank is safe.

Sacrificing Innovation for Security?

As banks work to deploy mobile banking apps, they walk a fine line between innovation and risk, the experts admit. According to Gordon, to ensure that a mobile offering is secure, many banks are limiting their apps' functionality. "One of the things banks are staying pretty consistent on ... is the idea of limiting the functionality of what's on mobile versus what's online," he says.

Security remains a top priority, confirms Alex Sion, VP of financial services at SapientNitro, a division of Sapient (Boston). "It's absolutely top of mind," he says. "But sometimes security and the thinking around security is compromising speed and innovation."

But mFoundry's Sievers argues that app-based interactions actually are safer than the alternatives. "What we've learned with online banking in this industry is, people are going to try and phish you, people are going to try man-in-the-middle attacks," he says. "With mobile, the most-used mode is app [as opposed to mobile browser or text message]. And that mode also is the most secure by far."

A mobile app provides a direct conduit of sorts between the customer's device and the bank, whereas there potentially is more going on with a PC-based web browser, notes Ed Gainer, EVP of cash management in North America for bank technology provider Fundtech. "As I look at our web applications, I actually think that mobile is more secure because of its ability to go computer to computer effectively -- from an app to an app -- as opposed to a browser on a PC," he says. "It is a more secure way of doing things."

A customer using a bank app on a mobile network might just be safer than a customer accessing online banking on a PC using an open Wi-Fi connection, according to Celent's Jegher. "It's not as secure as, say, if you're sitting behind a firewall in your office," he says. "But it's more secure than an open Wi-Fi connection that anyone can watch."

Jersey City, N.J.-based Fundtech is building apps for commercial banking, an area in which, especially on tablets such as Apple's iPad, the vendor's Gainer sees an opportunity for creating novel portable banking experiences with security that is comfortable for users at the C-suite or enterprise level. He says a mobile app is a good way to ensure a secure, device-to-device experience.

"The simplest way to eliminate man-in-the-browser or man-in-the-middle-type attacks is to use two different devices," rather than communicate over a standard Internet connection, he says. "Someone can hack a [web] session. But the odds of them simultaneously hacking two different sessions on two different devices -- the odds of that are pretty much nil."

Reassuring Customers It's Safe

Ultimately, no one -- banker or customer -- wants to experience a case of bank account fraud. As more customers download mobile apps and access their bank accounts through that channel, banks need to add mobile security as another layer to their overall approach to multichannel antifraud efforts.

"Whether it's online, mobile, tablet or anything else, the bank needs to take kind of this multichannel approach to fraud detection," Celent's Jegher says. "Regardless of what [device] you pick up as a customer, you shouldn't have to worry about it."

Just because it's a mobile app that provides a somewhat different experience from the other channels in which customers access their banks, the damage if an account gets compromised is just as real. And as with any type of account security, customers are going to hold their banks accountable to protect them, suggests Symantec's Bregman.

"Fundamentally, the banks are just dealing with information," he says. "If you do that from the mobile device and that device gets compromised, as a customer, I would get very upset, and I would blame my bank."

BofA's Gordon says customer outreach is important in creating consumer confidence in the channel. Banks, he adds, have a role in making sure customers know that the apps they're downloading to their devices are legitimate bank apps. But BofA is taking this responsibility further -- according to Gordon, the bank is developing a remote kill function so that, in the event a malicious app is downloaded to a customer's device, it can be remotely stopped and removed from the device.

"Mobile is our fastest-growing channel and has our highest attention as it relates to what we can offer to our customers," Gordon says. "We're looking forward to some of the capabilities we can roll out to our customers over the next 12 to 18 months."

A well-informed customer using a mobile banking app can serve as an added layer of protection in itself. Simply having a mobile app with enough functionality to show account balances and transaction history, and send account alerts, along with a customer who uses it regularly, could help customers identify any occurrence of fraud as it happens, Celent's Jegher notes.

"It's one of the main reasons to enroll in mobile banking," he says. "As a customer, you now have control. And that control can help you actively manage your financial situation and ultimately help you prevent fraud in your account."