Monday July 18, 2005
SecurityPark.net talks about an upcoming downloadable Java ME mobile banking app that accesses your bank account, called MobileATM. See: Banking on Java ME technology. Here are some bullet-items from the article, for banks to adhere to for security: * Stringent security testing. * Obfuscated source(sic) [My note: this should say class files, not source]. * Two-step authentication. * Don’t trust any input received.The above are good items to follow, but I would add code-signing of the downloaded apps and encryption of data exchanged between the app and the back-end server are a must also. The article fails to see that mobile apps on your cell phone are no different than the wide open Internet and using a Web browser to access your bank account from a Web site. It's the same level of security risks if you don't follow strict guidelines for protecting your apps and data (with authentication, code signing, encryption, and obfuscation). Everyone thinks the mobile platform is less secure than Web browsers for some reason, but millions of Internet users access their bank accounts everyday. I claim if you are following proper security procedures the mobile network is safer since it is harder to snoop and send data back to rogue servers using a proprietary network (Cingular, Sprint, Vodafone, T-Mobile, etc.) than the open Internet and a Web browser. Of course it's not impossible, but a Web site that calls itself SecurityPark.net should at least give a more balanced perspective on security risks on one platform vs. another. |
Theme originally based on design by Bryan Bell
