Banks can regain the trust of their customers by placing more security focus on mobile banking design, one security architect has suggested.

Last week, a researcher found numerous vulnerabilities in 40 personal banking apps from 60 of the world’s largest banks.

Testing just iOS devices, Ariel Sanchez from IOActive discovered that 90% of the apps contained non-SSL links, meaning a hacker could potentially intercept the traffic and inject random JavaScript/HTML code in order to create a fake login phishing attempt.

John Smith, senior security architect for EMEA at application security tester Veracode, believes that following secure design and coding principles as part of the development process would significantly raise the security bar when it comes to mobile banking apps.

He said: "As part of this comprehensive testing of both the client side and server side is essential in validating that the security practices are being followed and are achieving the aim of secure software.

A number of studies over recent years have shown that security concerns lead consumers to shun online channels and this is likely to be true of mobile apps as well.

Smith added: "As banks are trying to exploit lower cost customer engagement and using technology to differentiate themselves it is essential that customer confidence is high – so yes, this should be a concern for the banks.

The advantages of multi-factor authentication – for example, something you know and something you have – are that they make it much harder for an attacker to impersonate a valid user. However, such technology does typically have an impact on usability and costs so a balanced approach should be taken based on the risks associated with the app."

In the case of full transactional banking apps, the risk will be high and so the authentication mechanism should be proportionately high strength.

"Veracode’s experience of testing mobile apps on both Android and iOS however, shows that both platforms can be equally vulnerable to attack," said Smith