Sandy, UT (February, 2014) -- Recent media reports of “Major security flaws found in 90% of top mobile banking apps,” have alarmed credit unions who already have or are considering the purchase of a mobile banking app.
It’s easy to see why FLEX users and their members are not subject to such security flaws through a look at the alleged weaknesses:
IO Interactive Labs Research found that 90% of mobile banking apps from 60 of the top financial institutions around the world contained non-SSL [insecure] links throughout their applications. This allows an attacker to create a fake login prompt or similar scam.
The FLEX App does not allow non-SSL links. FLEX mobile banking apps are created by FLEX without third-party involvement. This ensures not just total control of development but also total integration with all FLEX products (accounts, cards, bill pay, etc.)
IO Interactive Labs Research also found that 40% of the audited apps did not validate the authenticity of the SSL certificates presented. This makes such apps susceptible to Man in the Middle (MiTM) attacks.
The FLEX App validates authenticity for every SSL certificate that is presented.
IO Interactive Labs Research further noted that 50% of the apps tested were vulnerable to JavaScript injections, this would allow actions such as sending SMS (texts) or emails from the victim’s device.
The FLEX App never uses Web views from third party URL’s within the app. The only exception would be when a customer specifically requests it, however all potential security threats are documented and explained.
Praetorian noted in their study (which included apps from the 50 largest credit unions) that 8 out of 10 mobile banking applications contain build and configuration setting weaknesses.
The FLEX App was not rushed to market, which was cited as the most likely concern from apps with insufficient attention to security. Meticulous care and structural control are always maintained within the FLEX product set. To combat such weaknesses the FLEX mobile banking apps are designed to be re-signed (application re-install, which will appear as an additional app icon in the app drawer) if the FLEX configuration file is changed. It should be noted that this particular weakness ONLY applies to Android users and those with jailbroker/rooted devices, information not provided in the Praetorian report.
When Arxan was interviewed they noted that counterfeit apps are on the rise, which may include toxic malware.
The FLEX Response is that which should also be the response of every supplier of technology: Educate, instruct, inform. Make members aware that the safest place to download apps is from the official marketplaces (Apple and Google Play). If apps are downloaded elsewhere the potential for exposure to counterfeit versions explodes. Advise that users with “jailbroken/rooted” devices not perform banking or other sensitive activity on them. Additionally, know that companies such as Arxan, sell counterfeit detection tools.
In summary, technology that is designed by a single developer does not just provide for an enhanced user experience and the benefits of complete integration. Such products also provide the benefits of a secure and controlled environment. The FLEX core system and its ancillary product set, including mobile apps, provide for complete integration and unmatched security.
FLEX facilities management integrates software for credit unions into an advanced core platform to serve nearly 300 credit unions in locations across the country, including Alaska, Hawaii, and the Eastern Caribbean. The company enjoys established relationships with all regulatory agencies, corporate credit unions and major industry partners.