Banking industry: Native Apps or Mobile Apps?

curiouswebster
curiouswebster used Ask the Experts™
on
I assume when you have an app that is going to involve money, I automatically presume the iPhone and Android apps need to be Native. True?

I also expect to need to interact securely with hardware elements on the phone, both iPhone and Android. How well do Mobile apps do this?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
For monetary transaction, it can come with an apps but it is just a front UI to interact with user or do everything natively. But one common observation is the need for challenge and response with using OTP (either hardware or soft token) and the apps ask for your login credential and transact with another OTP for the authentication and after passing the check with backend, we are granted access. For example, Paypal has the option to use a more secure 2FA (not soft token) called a Security Key Card. It is understood to be the proprietary VeriSign Identity Protection (VIP) card which generates OTPs at the user’s end. It can also be embedded on the U2F-compliant Yubikey token (hardware).

The ideal case is use of Hardware element is needed for the apps to secure your wallet that store your digital "money". But not always using the phone hardware per se, for example, Google Wallet is one of the safest mobile payment apps because of its built-in security features. It uses NFC technology for the wireless payment (tap and go)
  1. Uses AES 128 to 256 bit encryption.
  2. Information residing on Google's secure servers in secure locations keeps all of your information protected. (some may not like this)
  3. Wallet comes with 24/7 fraud protection and monitoring.
  4. If you lose your phone, you can login to your Google Wallet account on any browser to instantly disable your lost or stolen device.
  5. You also have to enter a PIN to use Google Wallet, as you would with a debit card.
  6. You're also protected by Google's privacy policy.
This is in Android only but similar to how Apple Pay works, minus the thumb print ID scanner on the phone to verify identity as an added layer of security.

Let see other few apps and they varied and not necessary binding to the "hardware" e.g.
  1. Square Wallet - It uses your phone's GPS to let a store know you're there, so you can make a purchase. It also encrypts payment and personal information.
  2. PayPal's app (again) - You're required to enter a PIN every time you want to make a purchase. The app links to your PayPal account where you can manage all of your bank accounts. In short, you can make transactions by entering your mobile phone number (or email) at the checkout and then entering a PIN. It is not using hardware though

All mobile payment apps have vulnerabilities, but so do online payment processors, and even that trusted credit card in your wallet. Ultimately it is risk taking to use Mobile apps. We should embrace technology openly and taking a measured informed risk for a greater adoption of technology to streamline and enhance the experience will be worthwhile. Make sure you practice hygiene, keep your phone safe (do not root/jailbreak), download from known apps store  and have a strong password and go for 2FA whenever it is supported.
curiouswebsterSoftware Engineer

Author

Commented:
> The ideal case is use of Hardware element is needed for the apps to secure your wallet that store your digital "money".

How do Mobile apps do with secure access to on-board hardware on the phone?
btanExec Consultant
Distinguished Expert 2018
Commented:
One good example is Apple Pay - see its security whitepaper https://www.apple.com/business/docs/iOS_Security_Guide.pdf (page 34)
How Apple Pay uses the Secure Element

The Secure Element hosts a specially designed applet to manage Apple Pay. It also
includes payment applets certified by the payment networks. Credit, debit, or prepaid
card data is sent from the payment network or card issuer encrypted to these payment
applets using keys that are known only to the payment network and the payment
applets’ security domain. This data is stored within these payment applets and
protected using the Secure Element’s security features. During a transaction, the
terminal communicates directly with the Secure Element through the Near Field
Communication (NFC) controller over a dedicated hardware bus.

How Apple Pay uses the NFC controller

As the gateway to the Secure Element, the NFC controller ensures that all contactless
payment transactions are conducted using a point-of-sale terminal that is in close
proximity with the device. Only payment requests arriving from an in-field terminal
are marked by the NFC controller as contactless transactions.
Once payment is authorized by the card holder using Touch ID or passcode, or on
an unlocked Apple Watch by double-clicking the side button, contactless responses
prepared by the payment applets within the Secure Element are exclusively routed
by the controller to the NFC field. Consequently, payment authorization details for
contactless transactions are contained to the local NFC field and are never exposed
to the application processor. In contrast, payment authorization details for payments
within apps and on the web are routed to the application processor, but only after
encryption by the Secure Element to the Apple Pay Server.
Apple Pay components
  1. Secure Element: The Secure Element is an industry-standard, certified chip running the Java Card platform, which is compliant with financial industry requirements for electronic payments.
  2. NFC controller: The NFC controller handles Near Field Communication protocols and routes communication between the application processor and the Secure Element, and between the Secure Element and the point-of-sale terminal.
  3. Wallet: Wallet is used to add and manage credit, debit, rewards, and store cards and to make payments with Apple Pay. Users can view their cards and additional information about their card issuer, their card issuer’s privacy policy, recent transactions, and more in Wallet. Users can also add cards to Apple Pay in Setup Assistant and Settings.
  4. Secure Enclave: On iPhone and iPad and Apple Watch Series 1 and Series 2, the Secure Enclave manages the authentication process and enables a payment transaction to proceed. It stores fingerprint data for Touch ID.
  5. On Apple Watch, the device must be unlocked, and the user must double-click the side button. The double-click is detected and passed to the Secure Element or Secure Enclave where available, directly without going through the application processor.
  6. Apple Pay Servers: The Apple Pay Servers manage the state of credit and debit cards in Wallet and the Device Account Numbers stored in the Secure Element. They communicate both with the device and with the payment network servers. The Apple Pay Servers are also responsible for re-encrypting payment credentials for payments within apps.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

curiouswebsterSoftware Engineer

Author

Commented:
I am trying to understand if Mobile apps can be as secure as Native apps. Is it safe to say the answer "no, they are not?"

Apple Pay is only available as an app, true? It seems highly unlikely this kind of functionality could be created using a Mobile App.

Please advise.
curiouswebsterSoftware Engineer

Author

Commented:
I am glad you brought up the subject, but need a beginner's guide to Google Wallet and Apple Pay. Here it is that new question I asked.

https://www.experts-exchange.com/questions/29058418/Google-Wallet-and-Apple-Pay-what-do-these-programs-do-and-how-do-they-do-it.html
curiouswebsterSoftware Engineer

Author

Commented:
thanks
btanExec Consultant
Distinguished Expert 2018

Commented:
I will say both if such apps depends on the way it protects your credit card and interface to the payment gateways..the hardware element value is more the authentication provided by the device. Other than that, either apps depends in how it is develop. Apps installed can be just as secure. The example of Apple Pay is another secure apps.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial