Mobile malware targeting the financial services industry will continue to rise unless companies do a better job of testing apps and educating users according to National Australia Bank (NAB) head of mobile and emerging technologies, Ben Forsyth.
Speaking at CeBIT, Forsyth told delegates that mobile malware developed to target banks, such as Zitmo which can bypass two factor secure authentication used in financial transactions, was spreading because of long patch management cycles, open platforms, unofficial distribution of apps and a lack of attention given to security by consumers and companies releasing apps.
CeBIT 2012: Lack of Cloud standards hinders uptake, says NAB
“Very rarely do people have security software installed on their phones and there is an insane willingness to download and install apps without any due diligence on what the app might be doing behind the scenes,” he said.
Turning to mobile app development, Forsyth said app security could be improved if companies reviewed the developer they were using to create apps.
He suggested companies check that the developer was adhering to secure coding principles and if there had been instances of app failures or breaches.
“Companies should also check what app data is being stored on the device and how that is secured for customers,” he said.
“Any of the mobile banking apps you see in the market today are almost dumb clients, they’re only active during a session. As soon as you log out, all data is removed from the device to make sure it is protected."
Before apps are submitted to the mobile market place, developers should have the app tested for any code vulnerabilities and also penetration test any app designed for financial transactions, Forsyth suggested.
“The incremental cost that’s involved in engaging the third party security expert to undertake those reviews is dwarfed by the potential for reputation damage if the app is released into the market and your customers are affected,” he said.
According to Forsyth, the process involved with getting an app published in the market place needed more attention to detail.
“At NAB we develop a code, pass it through a security review and then it comes back to the business for upload to the marketplace,” he said. “At every step in the chain there is a check to make sure the code is the same and there has been no interference along the way.”
Finally, companies needed to establish support agreements with vendors who develop apps so that if vulnerability appeared in the app, the vendor would be held accountable.
Turning to users, he said companies who release apps had a responsibility to educate customers on mobile security.
“People should keep a pass code lock on their device and only install apps from trusted sources. Encourage your users to keep their device secure with patch updates and installation of mobile security apps,” Forsyth said.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU