Banking leads the way for mobile app penetration testing

September 26, 2014

When one thinks of penetration testing, what comes to mind is most likely images of testers trying to physically break into a facility or hack into an enterprise server to test its security measures. While these tests are obviously critical, it's important to remember that cybersecurity must span the entire IT infrastructure.

The proliferation of mobile apps in almost every industry means that information is now traveling through connections from the millions of mobile devices owned by consumers. Mobile apps are poised to play a central role in nearly every commercial endeavor, and with it comes a need for a commitment to security/penetration testing.

Mobile apps and security
The proliferation of mobile devices, particularly the Android and iOS platforms has taken place only within the last decade. McAfee reported that as adoption of mobile platforms continues to grow, the demand for apps has grown right along with it. Banking apps in particular have been in high demand, due to their convenience.

McAfee said that mobile apps should be seen as extensions of desktop apps, and thus they should be afforded the same level of attention when it comes to security testing. The testing should also be conducted the same way it would on any non-mobile platform. 

Banking leads the way for mobile security innovation
Given the highly sensitive nature of consumer data that the banking industry handles through its emerging mobile apps, it makes sense that it has a heightened commitment to security for this particular channel. While routine penetration testing has its place here, security professionals in the banking industry know that more rigorous testing is necessary to ensure customer protection. Security measures on the client side have a key role in ensuring total system security. 

According to CSO Online, one tactic that banking app developers have implemented is putting code in the app that detects if a phone is jailbroken. If this is the case, the app will deny the user service. CSO also noted that code can be included in the app that detects malicious or rogue apps on the device. Client side security measures are crucial to finding out if the device is compromised in anyway. This idea is catching on in the banking industry, and experts expect that it will catch on elsewhere.

""Eventually those techniques will fill the gap to the more common apps, but right now, they're mostly used in the banking sector," said Tyler Shields, a senior analyst for Forrester.