Smartphone penetration is on the rise in emerging markets and can dramatically enhance the mobile money value proposition. As highlighted in the 2017 State of The Industry Report on Mobile Money, globally the percentage of providers who offer mobile money through a smartphone app has expanded from 56 per cent in 2015 to 73 per cent as of June 2017. In another blog post, we have shown the potential of smartphones to drive innovation in product and user experience (UX) design, and even to support a transformation of the mobile money business model.
Download the mobile money app security best practices
From a technical perspective, there is more for providers to consider as they move beyond the ubiquitous, albeit limited, interfaces of SMS and USSD. First, smartphone applications rely on internet-based communication protocols, which are more “open” and may be subject to attacks that could expose the message payload being carried. Second, smartphone operating systems are more vulnerable to attacks that could uncover sensitive information processed at the application level. These new challenges can be addressed, however, with appropriate safeguards.
In 2015, professors specialised in security from the University of Florida (UF) released a paper analysing security features on mobile money smartphone applications. Findings indicated the lack of a consistent approach to implementing measures against systemic vulnerabilities. While there were no actual reported breaches, inconsistent approaches highlighted a variety of practices and different levels of risk exposure. A follow-up study in August 2017 demonstrated the challenges faced by providers in making improvements, as a lack of consistency still prevailed.
As a result, the GSMA approached Professors Patrick Traynor and Kevin Butler, two of the authors of the papers, to support a coordinated industry approach to improving the security offered by mobile money applications. We hosted a workshop with technology experts from mobile money providers and the UF professors to exchange information on security practices. We then partnered with the professors to convert the basic concepts and recommendations from the academic paper into a set of tactical steps to implement best practices. Technical teams can refer to detailed sections for in-depth knowledge, or if they already have the expertise, a summary checklist is provided to verify adherence to all recommendations. We aimed to identify a proportionate effort to deploying the appropriate measures, in keeping with the basics of end-to-end encryption, using frameworks natively available on operating systems and minimising interference with user experience.
Very nice article, right on point!