Android Mobile Banking
How secure are mobile banking apps on the world's most popular smartphone
operating system? operating system?
The material appearing in this presentation is for informational purposes pp g p p p only and is not legal or accounting advice. Communication of this
information is not intended to create, and receipt does not constitute, a legal relationship including but not limited to an accountant client legal relationship, including, but not limited to, an accountant‐client relationship. Although these materials may have been prepared by professionals, they should not be used as a substitute for professional services. If legal, accounting, or other professional advice is required, the services of a professional should be sought.
PRESENTERS
Bob Grill IT Consulting Manager M Ad LLP Moss Adams LLP David Dyky IT Consulting ManagerAGENDA
• Mobile Banking Trends • Android Platform Basics • Android Mobile Banking Security Considerations • Questions and AnswersMOBILE BANKING TRENDS
AGENDA TOPIC:
THE GROWTH OF MOBILE COMPUTING
• 91% of Americans use a mobile phone • As of Christmas 2011, 50% of Americans will have a smart phone. • By 2013, mobile phones will overtake PCs as the most common web access device worldwide. Sources: http://www.gartner.com/it/page.jsp?id=1278413 http://arstechnica.com/telecom/news/2010/03/wireless‐survey‐91‐of‐americans‐have‐cell‐phones.arsMOBILE BANKING TRENDS:
MOBILE BANKING TRENDS:
SMARTPHONE APPS
• Richer features
and better user interface when compared to SMS and WAP channels and WAP channels
• Two dominant
platforms: iOS platforms: iOS and Android
MOBILE BANKING TRENDS:
MOBILE BANKING TRENDS:
MOBILE REMOTE DEPOSIT CAPTURE
• Emerging market expectation for community banks and credit unions to adopt K d b i i • Key vendors beginning to offer photo bill pay F f l t ti • Focus of regulatory scrutiny on consumer compliance and security risks
MOBILE BANKING TRENDS:
MOBILE BANKING TRENDS:
MOBILE REMOTE DEPOSIT CAPTURE (2)
• Several key requirements for RDC risk management from regulators (FIL‐4‐2009) • Regulator concern with: • Risk assessment • Multi‐factor authentication • Customer awareness education • Deposit thresholds
MOBILE BANKING TRENDS:
MOBILE BANKING TRENDS:
PERSON TO PERSON PAYMENTS
• Payments outside of the institution, seen as an t it t b ild b d opportunity to build brand recognition and leverage existing customers existing customers • Competition among FI service providers (e.g., FiServ, Q2) and Internet players (e.g., Paypal, Square, American Express Serve Google Checkout) Serve, Google Checkout)
MOBILE BANKING TRENDS:
MOBILE BANKING TRENDS:
PERSONAL FINANCIAL MANAGEMENT
• Mimics functionality of consumer‐branded solutions such as Mint.com or Yodlee • Often includes customizable l alerts • Defensive move to retain t i t ti d customer interactions and relationship
ANDROID PLATFORM BASICS
AGENDA TOPIC:
ANDROID OPERATING SYSTEM
• Open Source – Source code is available to read by anyone, based on Linux. A d id d l i ll d b • Android development is controlled by a group called the Open Handset Alliance – mostly run by Google, but many cell phone manufacturers by Google, but many cell phone manufacturers are members.• Unlike the iPhone, the Android platform is more
open to customization by device manufacturers and users, and therefore security
considerations become more complex considerations become more complex.
ANDROID SECURITY CONTROLS
• Applications run inside a Virtual Machine (VM) – one app should not know what other apps are running on the phone • Each VM is limited to communications with i id d b G l operating system programs provided by Google • Applications can override this control if given i i permissionANDROID MOBILE BANKING SECURITY
AGENDA TOPIC:
ANDROID MOBILE BANKING SECURITY
CONSIDERATIONS
ANDROID APP MARKETPLACES
• The Google Play marketplace is the primary app store. Other stores from carriers (Verizon) and third parties (Amazon.com) also exist. Financial institutions can di t ib t th h f th h l distribute apps through any of these channels. • Marketplaces maintain basic controls over apps distributed: d d o Automated source code review o Marketplaces maintain basic controls over apps distributed • Each app is digitally signed by the developer. Theoperating s stem restricts pdates to onl those signed operating system restricts updates to only those signed by the same developer. Therefore, Internet banking vendors must maintain strict controls over the digital keys used to sign the app to prevent it from being used keys used to sign the app, to prevent it from being used for unauthorized app updates.
APP PERMISSIONS
• App permissions are used to control what resources each Android app can access. • Minimize the permissions an i d i i i app uses, in order to minimize the consequences of potential security vulnerabilities in the security vulnerabilities in the application.ANDROID MOBILE BANKING:
ANDROID MOBILE BANKING:
AUTHENTICATION
• “Layered Security” to comply with FIL‐50‐2011 M i i i b l • Many institutions balance risk by limiting money movement, using device movement, using device identification and simple user authentication (e.g., 4 di it PIN) 4‐digit PIN) • Android can maintain anencrypted device identifier encrypted device identifier
