How To Build A Secure Mobile App

As is the case with any delivery channel, security is at the forefront for banks as they rush to deploy or enhance mobile banking apps in the fast-growing smartphone market. And while many banks' mobile apps limit customers to basic functions--checking account balances and transaction histories, finding a branch or ATM location, and initiating transfers--a new wave of apps is bringing person-to-person payments, remote deposit capture, and bill pay to the mobile channel. Simply, the apps are getting smarter and more capable. But with those capabilities comes the potential for greater threats.

"Clearly everyone is concerned about mobile security," says Jacob Jegher, senior analyst for Boston-based Celent's banking group. "But we haven't really seen the brunt of the challenges that could come with mobile fraud. In other words, it's a channel that hasn't been heavily targeted."

But the market is expanding fast, and so is the target for criminals. A February IDC (Framingham, Mass.) report indicated that smartphone sales outpaced PC sales for the first time ever in the fourth quarter of 2010, with 100.9 million smartphones shipped versus 92.1 million PCs. The growth in smartphone sales could translate to more opportunity for customers to access their banks through those devices--either via apps or mobile browser--and more opportunity for fraud.

To keep up with the proliferation of devices and customers who prefer downloadable apps, banks often deploy mobile banking applications across multiple platforms--Apple's iOS, Google's Android, Research in Motion's BlackBerry and others--and banks have to build for the strengths and weaknesses intrinsic to every device, which adds to the security challenges. Another wrinkle is that these development efforts are creating an entirely new kind of bank channel experience.

"As you look at the back-office systems that are inherently driving online and mobile, they're the same systems," says Keith Gordon, SVP, echannels, fraud and enrollments executive, Charlotte, N.C.-based Bank of America ($2.27 trillion in assets). "But the big difference comes in how our customers are interacting with us. In an online space we've got complete control of that environment; whereas when you look at mobile, we've now pushed that functionality out to the customer."

Developing an app-based mobile banking experience is completely new for many banks, acknowledges Mark Bregman, EVP and CTO of Mountain View, Calif.-based security firm Symantec Corp., who stresses that security should be paramount in the process. "In a way you have to be more systematic in planning for and building mobile banking apps than you did with Web-based apps," Bregman says. "On the other side of it, things are moving very fast toward mobility--if you're a bank and you decide to wait too long, you run the risk of being left behind."

Because mobile banking via downloadable app is a relatively new phenomenon--the Apple iTunes App Store dates back to July 2008, and the Android Marketplace debuted that October--the current list of threats is poorly understood, if somewhat short. But that doesn't mean the threat isn't real--even if the app itself is not the problem.

Read the rest of this article on Bank Systems & Technology.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.