Security Blogs | 4 min read
India is one of the largest markets of mobile banking in the world. As per the Indian Department of Financial Services, the number of financial transactions through mobile phones in India is 18,592 crore. Unified Payments Interface (UPI), a Made in India technology is ruling the world of Fintech. It is used in India, as well as Singapore, UAE, France, Mauritius, Nepal, Bhutan, and Sri Lanka.
As the number of transactions is huge and increasing continuously, it’s necessary that the mobile banking applications have the best security architecture, to keep the users’ information secure. Otherwise the sensitive financial and personal data of billions of people will be at risk.
And to take care of the security of mobile banking apps, the Reserve Bank of India (RBI) has set up guidelines that the companies and developers developing banking apps should follow to protect the information of those app users. These guidelines apply to the Regulated Entities (REs) listed below:
Scheduled Commercial Banks (excluding Regional Rural Banks)
Small Finance Banks
Payments Banks
Credit card issuing Non-Banking Financial Companies (NBFCs)
Table of contents
RBI Guidelines for Mobile Banking Apps Security
Bugsmirror Defender: Seamless Security Solution for RBI Compliance
RBI Guidelines for Mobile Banking Apps Security
The REs must know, understand and follow these guidelines:
1. They shall conduct security testing including source code review, Vulnerability Assessment (VA) and Penetration Testing (PT) of their digital payment applications, etc., to assure that their application is secure.
2. The communication protocol in the digital payment channels (especially over Internet) shall adhere to a secure standard. An appropriate level of encryption and security shall be implemented in the digital payment ecosystem.
3. In case of any anomalies or unexpected behavior for which the mobile app was not designed, customers should be prompted to remove the current version and install a fresh copy. REs must verify the app version before enabling transactions.
4. Implement a feature that checks whether the device is rooted or jailbroken before installing the app. If the device is rooted/jailbroken, the app should be prevented from installing or functioning.
5. Incorporate code obfuscation techniques to protect the app’s source code from reverse engineering or tampering. This ensures that sensitive logic remains difficult to decipher by malicious actors.
6. Host the checksum of the current version of the app on a public platform to allow users to verify it.
7. REs must ensure proper device binding for the mobile application.
8. They should consider alternatives to SMS-based OTP mechanisms for additional layers of authentication.
9. Apps should detect inactivity over a specified period, new network connections, or connections from unsecured networks (e.g., unsecured Wi-Fi). They must implement proper authentication measures for transactions under these conditions.
10. The apps should not store or retain sensitive information such as user IDs, passwords, keys, hashes, or hard-coded references on the device.
11. Implement native encryption and decryption for local data storage, including temporary files.
12. Integrate anti-malware features within the mobile app.
13. Protect mobile applications from SQL injection vulnerabilities.
14. Ensure secure download and installation of the mobile app once baseline security requirements are met.
15. Deactivate older versions of the app in a phased but timely manner. Aim to maintain only one active version, excluding the overlap period during the phase-out of older versions.
16. Implement sandboxing or containerization for the application.
17. The mobile banking application should have the capability to identify remote access applications, where feasible, and block remote login access to the app.
By complying with these guidelines the REs can ensure that their mobile banking apps do not fall short on transaction security and user information security.
Comments
Post a Comment