FAQs around the Wild West of Mobile Security

December 22, 2017 - UL recently hosted a webinar about this topic and collected the most frequently asked questions. Read the answers below and view the recording of our webinar!

1. What kind of standards are applicable or required for mobile banking applications?

Mobile banking applications are not regulated by payment schemes such as mobile payment or mobile point of sale terminals are. However the applications must comply with local and regional regulations. For example in Europe there are the European directives on General Data Protection Regulations and Payment Services Directive and local laws based on these directives that would apply.

2. How long does it take to review or test a mobile banking application?

Reviewing a mobile banking application will involve a mix of code review and testing on the application and any involved backend systems. How much time this takes is dependent on the size and complexity of the application as well as the assurance levels required by the issuer of the banking application

3. How much fraud is committed using banking applications?

As with internet banking approaches mobile banking is susceptible to fraud. Individual cases of fraud have been published about in the general media, but issuers typically do not provide statements on the size or impact of fraud, and as such little public data is from individual banks. However branche organisations such as the Dutch Vereniging van Banken have published a study in March 2017 showing that banking fraud is steadily declining in the Netherlands.

4. How many applications seen by UL actually have a security problem?

In the short survey performed by UL, without exception we have seen applications that have weaknesses that should be shored up or improved. Along with inside secure UL reviewed 20 banking applications in total which were selected to represent a group of globally distributed entities including applications from startups as well as established banks.

5. Is it possible to have a brief security assessment of the new PCI PIN on Glass program?

The PCI PIN on Glass standard has not been officially released. When the standard is finalized and released UL is confident to be able to provide security assessments based on this standard through its PCI compliance services.
6. You mention MATE attacks on Android. Are MATE attacks also applicable on the iOS platform?

The same attacks are possible on IOS using largely similar or the same techniques. The difficulty of this class in attack on the IOS platform stems from the fact that it requires root access to the handset. Root access on IOS is more costly as it is a much more uniform ecosystem, which means that security problems are patched relatively quickly compared to most Android handsets.

7. Can the photo camera sensor be secured in some way? For instance, can the mobile application know if the camera is really reading a photoTAN or is the being spoofed?

Without hardware support it will be possible to tamper with the inputs to any application running on the handset if an attacker has sufficient access, which includes the inputs from a photo sensor. Mitigations currently focus on validating the handset operating system using SafetyNet or other approaches that scan the handset for signs of compromise.