January 17, 2011 – Technology companies have been working to provide mobile application platforms for money managers, hedge funds and other service providers.
These help turn existing apps into mobile apps as well as help create new applications built specially to turn on mobile devices.
There is tremendous potential for mobile money management applications to create value for users and their customers in areas such as non-real-time trading, account and customer management, research, reporting and data visualization.
These applications can provide those who use them a competitive advantage in managing money as well as building and maintaining customer relationships, but they can also expose firms and their clients to new risks.
Almost universally, vendors are claiming their applications are “secure” but supporting claims are at best scarce. It is difficult to determine what these claims actually mean.
Network providers can ensure that data crossing their networks is encrypted while on their network. However, this provides no guarantee of the security of the data when it is not on their network. One provider migrating legacy applications to mobile platforms claims they make applications “securely available to employees, partners and customers, anytime and anywhere, from any device,” but they also fail to provide details on what is meant by “secure. This situation ultimately puts application users, their customers and their relationships with their customers at risk.
There are a number of security concerns with systems including mobile components. Some questions to ask include:
- Is sensitive data stored on the device? In July 2010, it was revealed that a mobile application from Citigroup was storing sensitive data such as account numbers, bill payments and security access codes on user devices where they could potentially be discovered by hackers. In addition, the sensitive information was backed up to user workstations, resulting in further opportunities for exposure. The application in question had been built with a combination of code from 3rd party application developers as well as code from Citigroup and security testing had failed to identify the weakness. Some mobile platforms attempt to offer some protection for data stored on the device. The challenge is that mobile application developers often do not understand these protection options. Also if an attacker has unfettered access to a compromised device, in time they will likely be able to recover any data stored on the device.
- How are users forced to authenticate themselves to the system? A recent Wall Street Journal article highlighted several large financial firms such as Bank of America and TD Ameritrade that were improperly storing usernames and passwords on user devices. Entering a password every time a users accesses an application may seem tedious but if users only need to log onto the device once in order to use the system indefinitely it may open users and their customers to account compromise. Storing user credentials on a device creates the potential whereby malicious parties might gain either physical access to a device or remote access if other software on the device is compromised.
- How can the device be disabled if it is lost? Enterprises have a need to provision and control mobile devices with access to their networks, and analyst firms such as Forrester Research have identified deficiencies with certain platforms that can make it impossible to put necessary controls in place. These controls are a combination of the properties of the device as well as the operational procedures of the organization managing the devices. Windows Mobile and Blackberry devices have provided this capability for years. iPhones have offered it for some time. Only the newest Android platforms have started providing remote disable and remote wipe capabilities. Organizations deploying these applications should have an understanding from application providers about application-specific disable capabilities as well as plans within their own IT departments for dealing with lost or stolen devices.
- Does the mobile application open up new avenues of attack for those with malicious intent? Web services deployed by AT&T to support the iPad 3G device allowed malicious users to gain access to at least 114,000 iPad owner email addresses. The web service appeared to be supporting a feature that kept iPad users from having to update their email address on the device if it changed. Arguably this feature was of dubious value and if system designers had raised questions about the wisdom of including it they might not have deployed the vulnerable web service and the vulnerability leading to the disclosure of the email addresses would not have happened.
A mobile application by itself is often not very compelling – especially if no sensitive data is stored on the device. Instead, the system of the mobile device coupled with online services is what provides value to users. Security for these systems can be compromised at any step in the chain so good system security requires that all components of the online platform be secured.
- What fraud controls are in place for the mobile application and are they replicated on the server-side? Many web applications have been found to be susceptible to parameter tampering attacks allowing malicious users to bypass application controls. Smartphone applications are potentially vulnerable to the same issues and this is likely to be an area attackers focus on as web application attacks are translated to smartphone environments. Providers should be able to demonstrate that in the event a device is compromised the rogue behavior will be identified and stopped.
- Refusing to deploy mobile applications is not a workable option for most organizations because of market demands and the potential customer value they represent. Given this predicament, what should leading organizations do?
- Ask specific questions of the product vendor about security. What sort of internal practices do they have for building secure applications? What sort of 3rd party reviews have their applications been through and how did they fare? Developers building smartphone applications should be versed in the principles of secure development and they should also have platform-specific knowledge for the applications they are building. Applications should undergo security testing and ideally vendors will be willing to share the results of this testing. Vendors are typically going to assert that their applications are “secure” but responsible buyers will ask for evidence to back up these statements.
- Maintain the right to do independent security testing. At the very least you should be able to perform penetration testing of a pre-production environment and should be allowed to scan the infrastructure for security vulnerabilities as well as test custom application code. For more sensitive application, reserve the right to do source code reviews. Getting access to source code can be challenging but can be important for smartphone environments where analyzing source code can be the most efficient way to look for certain potential security issues. The time to do this is up-front when negotiating licenses and contracts – not after the fact when bargaining positions have been eroded.
- Perform security testing – with in-house resources if they are available or with trusted 3rd parties if internal resources are not an option. As mentioned, security testing can be performed both on running applications as well as the source code or binaries of applications. Applications managing more sensitive data should be subjected to more rigorous testing. This will provide independent insight into the security state of the system that can be used to encourage changes from vendors as well as make risk-based decisions about whether or not to deploy certain technologies. Smartphone application security is a relatively new field and most organizations not have the in-house skills to perform the required testing so involving a 3rd party might be required.
The capabilities provided by mobile platforms have the potential to enable new classes of applications that will bring increased value to securities and trading firms’ users and their clients. However, organizations deploying these applications must pay attention to the risks they pose for firm and customer data and other assets. Forward-looking organizations will work with application providers and possibly engage with third parties to be sure that applications provide the required security.
This article originally appeared in Securities Technology Monitor.