Wednesday, January 13, 2010

Andriod spells the end of secure mobile payments

When Android was announced as an operating system (eighteen months ago), I predicted that that it could lead to serious security attacks (Read the last paragraph in my blog). In a recent (much publicised) incident, this is exactly what happened. A rouge application that utilise phishing techniques to steal banking details appeared for Android-based mobile phones. While this is the first known incident, expect many more to follow. Android as an operating system is just ideal for developing applications with ill intent.

I believe that there are two sides to this story:

a. This is the end of the promise of secure mobile banking (at least on Android-driven) phones. All the potential of not repeating the challenges of browser-based banking has now disappeared. Developers of mobile banking solutions (and operational executives) will have to consider this reality whenever they launch products or design business processes.

b. Android is here to stay. It is a reality that we as mobile banking professionals will have to live with. It is important that solutions are designed in such a way so as to take cognisance of the holes in Android, but more importantly: that consumers are educated on how to work with necessary new security mechanisms (like memorable items)


Marius said...

Hannes, I do not understand why you single out Android. Phishing has nothing to do about the security of the OS but uses the ignorance of the user to get that person's security details. Whether the OS is Android, Symbian, Windows Mobile or even Maemo (The new Nokia device), if the user does not take cognisance of what he is doing, his banking/sercurity details will be compromised.

Windows Mobile is far more unsecure than Android. Even iPhone has its holes and security problems.

In fact I believe that Linux based OS like Android and Maemo offers way more security than others.

Luka said...

I do not agree your point, because the problem is not as Android related as you suggest. If a malicious dev creates an App on Apple's App store, and put a little backdoor that is not noticed by the reviewer (as several porn apps did), then the app could lead to exactly the same problems.

It is not specific OS / SDK / API... that are dangerous, it is the lack of education of users, for whom security is a complicated word in the tech field.

Nealle said...

I have to agree with the other comments, I don't believe that this is a specific issue of Android. WinMo has had "uncontrolled" apps for years I am sure that if we searched we could find apps that have had trojans or back doors in them.

I think the iPhone, which I have, is perhaps more vulnerable since we rely on a single place to verify the apps. The review process is not transparent and we don't know what Apple really checks. I bet they do not check every line of code.

It is up to the device owner to load an up from a developer that they trust, just as the would on a PC or Mac.