Android Is mbanking safe?

[scott1391990]

I have been using the netbanking feature of PNB from some years and really like the benefits of a netbanking service but haven't tried the mbanking yet, due to fear.
Is it safe to use it or should I skip it? I don't do that much NEFT transfers but only transact for buying online.
Have been using the free version of eset on my phone as well but it is better to ask others than take a leap of faith

 

[Sobirvs]

I have PNB too and I use aot of mbanking. The app itself. Its fantastic , love it. and the best feature is , they have IMPS aswell. Though they had imps in netbanking aswell.

 

[scott1391990]

That's good but not beneficial for me as I don't send money to anyone.
Have you installed any antivirus or something? Any other precautions?
I think I won't be installing it atm.

 

[axeman]

Simple answer: No

Source: We have unfortunately tested apps for almost all the banks in India, with the exception of 2.

BTW IOS Apps are worse off.

 

[Criminal]

That's good but not beneficial for me as I don't send money to anyone.

you already use NEFT. IMPS will be faster.

 

[Sobirvs]

Simple answer: No

Source: We have unfortunately tested apps for almost all the banks in India, with the exception of 2.

BTW IOS Apps are worse off.

they do work, you can't expect banks apps to follow iOS, android guidelines for designs. They provide 2 things only and those are functionality and security and I think those are what indian banks care about. I hope they follow design guidelines aswell though.[DOUBLEPOST=1427191903][/DOUBLEPOST]

you already use NEFT. IMPS will be faster.

this. NEFT Charges is 3rs in pnb and 5.62rs for IMPS. Not much but IMPS is a god send.[DOUBLEPOST=1427191944][/DOUBLEPOST]

Simple answer: No

Are you saying about security? I wanna know why aren't they secure enough, your post really doesn't say much.

 

[axeman]

They just arent secure enough, in terms of local storage, data encryption, param manipulation, session handling mech, error handling followed etc. We will usually end up coaching them on this, and they take months to get the changes done. Basically very poor understanding.

And IOS they think is the baap of all OS, so they code in a lackadaisical way that you can completely decompile the ipa file and then it is up to anyone to find loopholes. We recently were able to break the encryption channel of a banking app, fortunately they had not yet released it online and are fixing it before release.

We have found manufacturing companies which have better process of app coding than most of our banks and online cos.

So, they offer just functionality unless they are rigorous about testing.

 

[blr_p]

Source: We have unfortunately tested apps for almost all the banks in India, with the exception of 2.

Who is 'we' and can you link the test report ?

I have been using the netbanking feature of PNB from some years and really like the benefits of a netbanking service but haven't tried the mbanking yet, due to fear.

if you are comfortable with netbanking then why does mobile banking scare you.

See, i'm afraid of netbanking itself. and what i fear about mobile banking is if i lose my phone....

 

[Crapmypants]

We have unfortunately tested apps for almost all the banks in India, with the exception of 2.

Who is 'we' and can you link the test report ?

Hahaha, I had the exact same 2 questions. I wasn't considering mobile banking however i keep getting spam from hdfc to try it and thought it might be of some use but the lack of awareness about app security always kept me away. Guess i'll avoid it for now. But please do link/post any info or testing done on these apps if you have any (@axeman).

 

[axeman]

Can't.

1. NDA with customers
2. Sensitive information

Why not google and find out? We often present at conferences, youtube or other such places will have many companies sharing similar information.

 

[singenaadam]

Make sure that you use the stock keyboard. Don't use pirated keyboards for banking apps.

 

[Crapmypants]

1. NDA with customers
2. Sensitive information

Oh, didn't realize you came across this during your work. totally understand.
I was just curious to know which bank had the worst app

Don't use pirated keyboards for banking apps.

I don't know if you're being sarcastic or if there actually is such a thing as a 'pirated keyboard'. do you mean a pirated copy of one of those keypad apps?

 

[karantena35]

There is no website which is 100% secure to use. Same situation is with app's. In my opinions app's are more "vulnerable".

But I use netbanking and mbanking in my country and so far didn't have any problem so far.

 

[axeman]

http://security.stackexchange.com/q...re-are-banking-applications-on-android-phones

https://nakedsecurity.sophos.com/2014/01/10/just-how-secure-is-that-mobile-banking-app/

http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html - One smallish IOS point here

http://www.zdnet.com/article/banking-apps-not-safe-from-os-vulnerabilities/

Some points i'll just put here, some start for reading for those of you interested. Best would of course be to look up conference videos and presentations.

 

[haiprazzad]

Make sure that you use the stock keyboard. Don't use pirated keyboards for banking apps.

I don't know if you're being sarcastic or if there actually is such a thing as a 'pirated keyboard'. do you mean a pirated copy of one of those keypad apps?

Ofcourse he means that, Yaar aap words pe mat jao ,Bhavnao Ko Samjho! <(-'.'-)>

 

[blr_p]

We often present at conferences, youtube or other such places will have many companies sharing similar information.

who is 'we' ?

 

[blr_p]

Right lets get into these

http://security.stackexchange.com/q...re-are-banking-applications-on-android-phones

basically the fear is a keylogger might have got installed, same with desktop OS. says unrooted is safer than rooted. don't sideload etc.

https://nakedsecurity.sophos.com/2014/01/10/just-how-secure-is-that-mobile-banking-app/

http://blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html - One smallish IOS point here

2 factor authentication, as in log in they send you an sms with a code to log in.

and about cert checking, this is how you can get phished.

the banking app is misdirected to a phishing site, for example while you are using an untrusted network such as a Wi-Fi hotspot, you simply won't know!

so you have to test if your app can be fooled in this way. maybe it can maybe it won't.

But unless you get an email that says do this or that you can't get phished.

http://www.zdnet.com/article/banking-apps-not-safe-from-os-vulnerabilities/

older one from 2013 which might be out of date today but talks about the same.

whether something is safe or not depends on understanding what the dangers are and whether they can be worked around. its still a hassle and one weak moment means you get sunk.

 

[ithehappy]

Nothing is safe, it all depends on your luck. If you are targeted by some hackers then you will be emptied, as simple as that. Also using a damn AV thinking that its protecting your informations is simply ridiculous. How much percentage of online users are affected anyway? 0.25%? A lot less actually. If you happen to be unlucky to fall in that teeny-tiny group then nothing you can do. But fearing about that and not using Mobile banking or internet banking is extremely stone aged thinking. I am not blaming OP here at all but all those dumbasses who just mislead and put fear into other users mind. These ****ers also say keep using a PSU bank, because they are safe!

ROFLMAO

 

[blr_p]

But fearing about that and not using Mobile banking or internet banking is extremely stone aged thinking.

So better would be to show people what to look out for. Phishing attacks one can be trained to look out for.

But possibility of keylogger means unless you use a sterlised device just for banking then you should not use a regular device for banking at all.

 

[scott1391990]

hmm. Not installing it as of yet as I rarely do transfers