Apps: Are They Secure?
Mobile banking apps are also prone to hacking [Source: http://www.youtube.com/watch?v=zdO9CQqOuP8]
During my recent coast to coast sojourn in North America, during which I had the good fortune of meeting many of our customers, there was one theme that stood out in all discussions--security of mobile apps. The concern was more around B2C applications, given the increasing penetration of the Android operating system. With its open model and multiple OS versions, Android, in recent times, has shown increasing vulnerability to malware, Trojans, etc. Even iOS is not completely free from these vulnerabilities, although the perception is that a highly controlled and closed ecosystem makes it less susceptible.
Take for instance, the recent hacking of the mobile app of a leading coffee retailer, where it was discovered that the user IDs and passwords were stored in a flat file. The CIO of the company commented that even if someone accesses the app login credential the only thing the person could do is buy coffee. I think this ignores a very important fact--that people may use that very same user ID and password on multiple sites. Keeping the login sequence on a mobile app simple has been the prevailing paradigm so far, in order to not compromise with user experience and increase the app adoption.
We all know that typing in a long and complex password on a small screen can be difficult and there would be a significant drop in usage if this rule is strictly enforced. Some leading banks have been experimenting with new methods to ensure security, which includes face recognition and fingerprint reading. While the final verdict on this is still awaited, organizations in the financial services and insurance industries can take the first step by implementing a two-factor authentication. Users will be authenticated based on a combination of log-in credential and his/her mobile phone. This means that the app will be fused with the mobile phone. So when a hacker gets hold of the user ID and password, he/she will not be able to access the app from another unauthorized device. This can be done in the background, without the user being aware of it. User experience and security are inversely proportional but I think there is a way to strike a balance.