This website uses cookies to better the user experience of its visitors. Where applicable, this website uses a cookie control system, allowing users to allow or disallow the use of cookies on their computer/device on their first visit to the website. This complies with recent legislative requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user’s computer/device. To learn more click Cookie Policy.

Privacy preference center

Cookies are small files saved to a user’s computer/device hard drive that track, save, and store information about the user’s interactions and website use. They allow a website, through its server, to provide users with a tailored experience within the site. Users are advised to take necessary steps within their web browser security settings to block all cookies from this website and its external serving vendors if they wish to deny the use and saving of cookies from this website to their computer’s/device’s hard drive. To learn more click Cookie Policy.

Manage consent preferences

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Cookies list
Name _rg_session
Provider rubygarage.org
Retention period 2 days
Type First party
Category Necessary
Description The website session cookie is set by the server to maintain the user's session state across different pages of the website. This cookie is essential for functionalities such as login persistence, ensuring a seamless and consistent user experience. The session cookie does not store personal data and is typically deleted when the browser is closed, enhancing privacy and security.
Name m
Provider m.stripe.com
Retention period 1 year 1 month
Type Third party
Category Necessary
Description The m cookie is set by Stripe and is used to help assess the risk associated with attempted transactions on the website. This cookie plays a critical role in fraud detection by identifying and analyzing patterns of behavior to distinguish between legitimate users and potentially fraudulent activity. It enhances the security of online transactions, ensuring that only authorized payments are processed while minimizing the risk of fraud.
Name __cf_bm
Provider .pipedrive.com
Retention period 1 hour
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to support Cloudflare Bot Management. This cookie helps to identify and filter requests from bots, enhancing the security and performance of the website. By distinguishing between legitimate users and automated traffic, it ensures that the site remains protected from malicious bots and potential attacks. This functionality is crucial for maintaining the integrity and reliability of the site's operations.
Name _GRECAPTCHA
Provider .recaptcha.net
Retention period 6 months
Type Third party
Category Necessary
Description The _GRECAPTCHA cookie is set by Google reCAPTCHA to ensure that interactions with the website are from legitimate human users and not automated bots. This cookie helps protect forms, login pages, and other interactive elements from spam and abuse by analyzing user behavior. It is essential for the proper functioning of reCAPTCHA, providing a critical layer of security to maintain the integrity and reliability of the site's interactive features.
Name __cf_bm
Provider .calendly.com
Retention period 30 minutes
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to distinguish between humans and bots. This cookie is beneficial for the website as it helps in making valid reports on the use of the website. By identifying and managing automated traffic, it ensures that analytics and performance metrics accurately reflect human user interactions, thereby enhancing site security and performance.
Name __cfruid
Provider .calendly.com
Retention period During session
Type Third party
Category Necessary
Description The __cfruid cookie is associated with websites using Cloudflare services. This cookie is used to identify trusted web traffic and enhance security. It helps Cloudflare manage and filter legitimate traffic from potentially harmful requests, thereby protecting the website from malicious activities such as DDoS attacks and ensuring reliable performance for genuine users.
Name OptanonConsent
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonConsent cookie determines whether the visitor has accepted the cookie consent box, ensuring that the consent box will not be presented again upon re-entry to the site. This cookie helps maintain the user's consent preferences and compliance with privacy regulations by storing information about the categories of cookies the user has consented to and preventing unnecessary repetition of consent requests.
Name OptanonAlertBoxClosed
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonAlertBoxClosed cookie is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It ensures that the cookie consent message is not shown again to the user, enhancing the user experience by preventing repetitive notifications. This cookie helps manage user preferences and ensures compliance with privacy regulations by recording when the notice has been acknowledged.
Name referrer_user_id
Provider .calendly.com
Retention period 14 days
Type Third party
Category Necessary
Description The referrer_user_id cookie is set by Calendly to support the booking functionality on the website. This cookie helps track the source of referrals to the booking page, enabling Calendly to attribute bookings accurately and enhance the user experience by streamlining the scheduling process. It assists in managing user sessions and preferences during the booking workflow, ensuring efficient and reliable operation.
Name _calendly_session
Provider .calendly.com
Retention period 21 days
Type Third party
Category Necessary
Description The _calendly_session cookie is set by Calendly, a meeting scheduling tool, to enable the meeting scheduler to function within the website. This cookie facilitates the scheduling process by maintaining session information, allowing visitors to book meetings and add events to their calendars seamlessly. It ensures that the scheduling workflow operates smoothly, providing a consistent and reliable user experience.
Name _gat_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _gat_UA-* cookie is a pattern type cookie set by Google Analytics, where the pattern element in the name contains the unique identity number of the Google Analytics account or website it relates to. This cookie is a variation of the _gat cookie and is used to throttle the request rate, limiting the amount of data collected by Google Analytics on high traffic websites. It helps manage the volume of data recorded, ensuring efficient performance and accurate analytics reporting.
Name _ga
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga cookie is set by Google Analytics to calculate visitor, session, and campaign data for the site's analytics reports. It helps track how users interact with the website, providing insights into site usage and performance.
Name _ga_*
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga_* cookie is set by Google Analytics to store and count page views on the website. This cookie helps track the number of visits and interactions with the website, providing valuable data for performance and user behavior analysis. It belongs to the analytics category and plays a crucial role in generating detailed usage reports for site optimization.
Name _gid
Provider rubygarage.org
Retention period 1 day
Type First party
Category Analytics
Description The _gid cookie is set by Google Analytics to store information about how visitors use a website and to create an analytics report on the website's performance. This cookie collects data on visitor behavior, including pages visited, duration of the visit, and interactions with the website, helping site owners understand and improve user experience. It is part of the analytics category and typically expires after 24 hours.
Name _dc_gtm_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _dc_gtm_UA-* cookie is set by Google Analytics to help load the Google Analytics script tag via Google Tag Manager. This cookie facilitates the efficient loading of analytics tools, ensuring that data on user behavior and website performance is accurately collected and reported. It is categorized under analytics and assists in the seamless integration and functioning of Google Analytics on the website.

Best Practices and Tips to Secure Mobile Banking Apps

  • 18135 views
  • 9 min
  • Jul 25, 2018
Daria R.

Daria R.

Copywriter

Dmytro H.

Dmytro H.

Backend Development Lead

Tags:

Share

The financial sphere is getting more and more attractive for hackers, who are eager to exploit company's every weakness. According to the Identity Theft Record Center’s 2017 data breach report, there were about 70 breaches in the banking, credit, and financial spheres in 2017, with more than two million records exposed.

The importance of security in mobile banking apps can never be neglected. Remember this while designing your own banking app. To help you see the full picture, let’s walk through the most common mobile banking security problems along with tips on how to deal with them by applying modern technologies and approaches.

Top mobile banking app challenges & how to solve them

The following issues are common for all mobile applications regardless of their purpose, though a banking app requires you to be even more diligent and meticulous. Every detail counts when you’re dealing with customers’ sensitive data. Here are the key things to pay attention to when building your banking app security strategy.

1. Insecure data storage

The Norton Cyber Security report by Symantec reveals that more than 140 million Americans were affected by cyber crimes in 2017. Fifty-four percent of them had their personal information involved in a data breach. This is why data storage is such a critical issue nowadays.

Mobile banking apps deal with the most sensitive sort of personal information. They know users’ passwords, account numbers, and credentials that hackers would be happy to get. Such sensitive data cannot be protected sufficiently while stored on a mobile device. Mobile file systems are easily accessible. What’s more, without solid protection, all an adversary needs is a set of specialized instruments to view application data.

At the same time, data leaks can be catastrophic for banks. And material losses aren’t the worst scenario here. Onсe a financial establishment exposes its inability to protect its own customers, clients will leave. Reputation means a lot, if not everything.

Here’s our advice to improve the security of your mobile banking app and store data securely.

Tips to prevent insecure data storage:

  • Don’t store users’ personal data and credentials on mobile devices. Once an attacker gets to a physical device, they’ll find a way to hack it and steal the data. It’s best if your app stores everything encrypted in the cloud.
  • If you can’t avoid storing data on a mobile device, keep all the information encrypted. Use only the latest and most trustworthy encryption algorithms that make data impossible to decrypt even if intercepted.
  • Don’t rely on standard mobile software development kits for iOS and Android. Find proprietary, highly secure storage.
basic security for mobile banking

2. Insecure communication

All the communication between a mobile client and a server is conducted by the online connection.

Mobile applications in most cases don’t secure network traffic. This means that a client and a server transmit data over an insecure channel. An unencrypted channel can’t guarantee data integrity.

Another common practice here is to use security protocols only at the stage of authentication but not during the whole session, which is also a mistake. Remember that you need to encrypt all data transferred on backend connections too. Don’t think that a firewall is able to protect data at sufficient scale.

A really secure banking app has to protect all client-to-server connections, server-to-database connections, and other backend connections that pass sensitive data.

Tips to protect data communications:

  • Always require SSL chain verification as it’s one of the best standard security technologies for providing an encrypted connection between a web server and a browser, and use the TLS protocol to secure computer networks.
  • Don’t use any alternate channels, such as SMS or push notifications, to send sensitive data.
  • Choose only the latest and most reliable encryption algorithms that have proved their feasibility, such as Triple DES, RSA, AES, Blowfish, or Twofish.
security protection methods

3. Insecure authentication and authorization

Authentication confirms a user’s identity. Authorization confirms that this user really has access to a particular system. Authentication and authorization prevent attackers from using functionality of the application or backend server.

Modern websites that deal with users’ personal data require users to create long, complex passwords that contain numbers, symbols, and letters. But mobile users prefer four-digit passwords or PIN codes for convenience. App developers know that and often compromise security for users’ comfort. This approach is far from secure.

Tips to avoid insecure authentication and authorization:

  • Always use multi-factor authentication. Unlike two-factor authentication, which uses a combination of a username and password in conjunction with a security token linked to a client’s device, multi-factor authentication is much more difficult to circumvent. This approach requires an additional layer of verification such as biometric data confirmation, which isn’t so easy to bypass. Of course, multi-factor authentication is more expensive to implement, but the cost is justified for a banking app.
  • Always use server-side authentication and authorization. Offline authentication is not an option as it requires storing data on a mobile device which, as we’ve mentioned, leads to insecure data storage.
  • Don’t use such unreliable and easily forged data as geolocation or device identifiers for authentication.
mobile banking application security tips

4. Insecure code and reverse engineering

If an app is based on insecure code, it can easily be used to perform illegal operations. That’s why all parts of a banking app need to be protected on every level. In the majority of cases, bugs don’t lead to such severe problems as breaches or data leaks. Still, these imperfections can help hackers achieve their goals.

Reverse engineering is one of the most favored methods of hacking. Reverse engineering involves examining software or its separate components in detail and then subsequently recreating them. Attackers look for apps with insecure code and apply reverse engineering to them. Then they can release a fake app to an app store as the original to collect users’ data or to hack the original application. To avoid this, follow these tips:

Tips to secure code and architecture:

  • Encrypt app source code. Not only should users’ personal data be encrypted; the app code should be encrypted as well. Don’t give attackers a chance to copy your app or hack it.
  • Always use obfuscation instruments for comprehensive app testing. Imagine that you’re an attacker and try to find all the weak spots in your app.
  • Manage your keys wisely. Even the most sophisticated encryption is worth nothing if your keys are easily accessible. Keys have to be stored in a safe place and should be of appropriate length.
mobile banking security

Other things you can do

Apart from the tips mentioned above, there are some general security protection methods and recommendations we can provide you with to improve the security of your mobile banking app. Here’s what you need to remember:

1. Watch your employees

It may shock you, but the group responsible for the most data leaks in 2017 was employees.

mobile banking risks

This is true even though only a small number of workers violated rules consciously to steal or sell data. Among the most widespread employee errors resulting in data leaks, according to the InfoWatch Analytics Center, are the loss of removable media, loss of mobile devices, negligent use of paper documents, and sending of emails to the wrong recipients. Your task is to make sure that employees are aware of the consequences of their behavior.

As a preventive measure, you can sign a Non-Disclosure Agreement with each worker to inform them of their responsibilities. Strong corporate culture and educational lectures can also be helpful.

2. Learn patterns of user behavior

By learning about your customers, you can better identify them and understand how they use your product. Statistics such as a user’s location, speed of entering a password, and channel of authentication can help you detect unusual activity and prevent personal data theft.

User Behavior Analytics, or UBA, is a technology that searches for patterns of use which signal uncommon behavior. UBA is an approach that doesn’t allow you to prevent attacks but that can quickly spot and track hackers’ activity and minimize damage. We highly recommend using UBA as part of your proactive mobile banking app security strategy.

3. Use alerts and notifications

Notifications bring a lot of benefits for your app. Apart from engaging and retaining users, tracking actionable metrics, and improving conversions, push notifications can also be used as a powerful tool to prevent or stop fraud. All you need to do is to inform customers about any suspicious or unusual activity on their accounts and ask them to confirm these actions. In some cases, account blocking can be used as well.

4. Watch your back

The server side of your app is also vulnerable to hacker attacks. That’s why you need to make sure that all APIs, databases, and third-party services that your app has access to are also secure.

Poorly protected APIs give adversaries a chance to bypass authentication and authorization schemes. And databases with no modern security system are like open pockets. Each link of this chain depends on the others, and if one fails in security, then all data is at risk.

As an option, you can use containerization to secure your backend data and documents. Docker containers allow isolating software from its surroundings, which helps to store information more securely.

Final thoughts

Banking apps require the highest level of protection by default. Recent cases of breaches and data leaks have shown how vulnerable mobile apps can be. That’s why you need to think through your online banking mobile security during the planning stage, not the development stage or later.

Make a checklist to be sure that you have all matters figured out and spend enough time testing to exclude any bugs and imperfections.

Don’t forget to subscribe to our blog if you’ve liked this article and you want to get more useful guides and insights from RubyGarage.

CONTENTS

Tags:

Authors:

Daria R.

Daria R.

Copywriter

Dmytro H.

Dmytro H.

Backend Development Lead

Rate this article!

Nay
So-so
Not bad
Good
Wow
4 rating, average 4.75 out of 5

Share article with

Comments (0)

There are no comments yet

Leave a comment

Subscribe via email and know it all first!