How to comply with RBI guidelines on security of mobile banking applications and transactions?

Security Blogs | 4 min read


RBI Compliance for Safe Mobile Banking

India is one of the largest markets of mobile banking in the world. As per the Indian Department of Financial Services, the number of financial transactions through mobile phones in India is 18,592 crore. Unified Payments Interface (UPI), a Made in India technology is ruling the world of Fintech. It is used in India, as well as Singapore, UAE, France, Mauritius, Nepal, Bhutan, and Sri Lanka.


As the number of transactions is huge and increasing continuously, it’s necessary that the mobile banking applications have the best security architecture, to keep the users’ information secure. Otherwise the sensitive financial and personal data of billions of people will be at risk.

And to take care of the security of mobile banking apps, the Reserve Bank of India (RBI) has set up guidelines that the companies and developers developing banking apps should follow to protect the information of those app users. These guidelines apply to the Regulated Entities (REs) listed below:

  • Scheduled Commercial Banks (excluding Regional Rural Banks)

  • Small Finance Banks

  • Payments Banks

  • Credit card issuing Non-Banking Financial Companies (NBFCs)


Table of contents

  • RBI Guidelines for Mobile Banking Apps Security

  • Bugsmirror Defender: Seamless Security Solution for RBI Compliance

RBI Guidelines for Mobile Banking Apps Security

The REs must know, understand and follow these guidelines:

1. They shall conduct security testing including source code review, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications, etc., to assure that their application is secure.

2. The communication protocol in the digital payment channels (especially over Internet) shall adhere to a secure standard. An appropriate level of encryption and security shall be implemented in the digital payment ecosystem.

3. In case of any anomalies or unexpected behavior for which the mobile app was not designed, customers should be prompted to remove the current version and install a fresh copy. REs must verify the app version before enabling transactions.

4. Implement a feature that checks whether the device is rooted or jailbroken before installing the app. If the device is rooted/jailbroken, the app should be prevented from installing or functioning.

5. Incorporate code obfuscation techniques to protect the app’s source code from reverse engineering or tampering. This ensures that sensitive logic remains difficult to decipher by malicious actors.

6. Host the checksum of the current version of the app on a public platform to allow users to verify it.

7. REs must ensure proper device binding for the mobile application.

8. They should consider alternatives to SMS-based OTP mechanisms for additional layers of authentication.

9. Apps should detect inactivity over a specified period, new network connections, or connections from unsecured networks (e.g., unsecured Wi-Fi). They must implement proper authentication measures for transactions under these conditions.

10. The apps should not store or retain sensitive information such as user IDs, passwords, keys, hashes, or hard-coded references on the device.

11. Implement native encryption and decryption for local data storage, including temporary files.

12. Integrate anti-malware features within the mobile app.

13. Protect mobile applications from SQL injection vulnerabilities.

14. Ensure secure download and installation of the mobile app once baseline security requirements are met.

15. Deactivate older versions of the app in a phased but timely manner. Aim to maintain only one active version, excluding the overlap period during the phase-out of older versions.

16. Implement sandboxing or containerization for the application.

17. The mobile banking application should have the capability to identify remote access applications, where feasible, and block remote login access to the app.


By complying with these guidelines the REs can ensure that their mobile banking apps do not fall short on transaction security and user information security.

Bugsmirror Defender: Seamless Security Solution for RBI Compliance

Bugsmirror Defender ensures easy compliance with all RBI-mandated security requirements for mobile banking apps. Equipped with Runtime Application Self-Protection (RASP) technology and industry-leading runtime security controls, it safeguards apps against over 45 security threats, including Runtime Code Injection, Debugging, Hooking, and Rooting. Our in-depth analysis of RBI guidelines allows us to guide you through every compliance step. Integrating Bugsmirror Defender into your app will fortify it with the strongest security measures, ensuring secure transactions and full adherence to RBI standards. Additionally, our comprehensive security audit and testing services identify and help to resolve vulnerabilities, providing complete peace of mind. Ensure your mobile banking app is RBI-compliant and secure with Bugsmirror Defender. Contact us today to stay ahead of evolving threats.

- Vivek Tanwani

Comments

Popular posts from this blog

Security Best Practices for Secure Fintech App Development

Bugsmirror Defender - Pioneering the Future of Mobile App Security

Bugsmirror Defender's Security Breakthrough: Redefining Protection

Security Best Practices in Healthtech App Development

Bugsmirror's Vegas Chronicles: Black Hat and Google BugSWAT

A Cautionary Tale of Android Security Bug CVE-2022-20004