Apps are often developed via toolkits that include additional functionality the banks, and even sometimes the developers, do not know exist. For example, some apps make connections not just to the bank's back-end but also to third party browsing tracking services, risking the leakage of customer data on the way.
And while apps want to deliver fast performance to customers, those that cache personal data can leave this insecure. Even properly encrypted data tied to the device owner can be at risk when the customer sells or gives away their old phone, a common practice with contract upgrades.
Smart phones do offer a range of extra information, such as GPS location data, that can improve security by confirming that requested transactions occur in the same place as the customer. Banks need express permission to collect and process that kind of data though to avoid breaking the Data Protection law.
It isn't solely the security of their own apps that banks need to consider. As yet there aren't large volumes of malicious software on smart phones. Nevertheless, as we rely more on smart phones we can expect to see the same kinds of sophisticated attacks that currently target desktops. Indeed, there is already evidence of a surge in malware aimed at, for example, banks using SMS to authenticate payments. The security challenge facing banks will be to ensure their app continues to function safely, even if the user has installed other insecure applications.
And customer devices are not the only source of security weakness. The majority of apps connect into a web-based back-end banking application that can also be compromised, so testing should include those systems as well.
Mobile apps are a valuable new channel of customer communication, but inevitably they raise security issues.
Therefore, it is essential banks apply the same sophisticated testing and monitoring used in other channels to their mobile banking proposition, as well as to external app stores, in order to manage the risks to customers and the firm's reputation.