Petr Řezníček
Secured mobile app - a key to online business
Improve mobile security to open new business
A brief review on mobile apps for banking and how improving security of mobile can significantly increase value for end-users, organizations and open new business opportunities.

Mobile everyday
Mobile phones and mobile apps are with us everyday. Great devices in our lives - small, smart. Always with us and with a number of features & functionalities. From basic calls, chats, multimedias & gaming, social inclusions, every day electronic life (shopping&payments) to your full identity tool as a key to your online services.
Mobile as your ID wallet is your ticket to on-line banking, insurance, government, health, your diary, personal assistant, your social network etc..
You still do think you don’t need a screen lock?
Rooting / jail-breaking your phone just to get the latest version of thi fancy game?
How hard would it be for a hacker to miss-use a mobile banking app?
We believe that privacy matters; furthermore, that trust can open new opportunities.
Therefore we are working hard to make your mobile life simple, convenient and secure as much as possible!
The User versus security
Mobile devices and its applications are bringing new ways we communicate, interact with others and do everyday activities including business.
This is especially true for banking where we see significant changes over time.
Mobile applications in financial services are no longer only reduced versions of internet banking as they are offering much more.
New API technologies allow us to combine data from multiple data sources and therefore create products and services that are relevant to a specific customer or group of customers (segments).
In today’s review, we would like to focus on the security aspects of mobile banking and additional use cases that come along implementation; from client identity enrollment, authentication scenarios, authorizations and electronic signatures to advanced use-cases.

Client onboarding and digital identity enrollment processes are essential for establishing electronic communication.
There are usually number of options and despite it seems to be very straightforward task there are number of concerns that should be taken into consideration
Usability - enrollment process is usually the first contact of the client with the app; so well designed enrollment process could significantly improve convergence ratio (or vice versa)
Compliance - to improve overall user experience number of applications usually fail to comply with regulation requirement (for example PSD2);
Balancing usability and compliance is one of the key challenges to modern banking apps.

Once the best possible enrollment process was set up, the mobile app can be used in a number of use cases as the authentication key; i.e. enable secure login to online services.
Thanks to device binding features, we can enable simple login to the mobile app by entering simple code (PIN) or simply by using biometric sensors.
For mobile-web and mobile-desktop scenarios, a number of additional authentication scenarios can be easily implemented to enable very convenient and secure login for online services. The best scenarios won’t even bother the user to enter a username or password.

From the mobile banking perspective, login transactions are not sufficient as clients are not only expecting to review the account balance but also to easily perform transactions on the mobile device.
Therefore, the following types of transaction need to be supported including supporting visualization layer
Account transfers (multiple types)
Out-of-band authorisations (e.g. ecommerce & 3DS)
Non-financial transaction (dispo rights, setting card limits, …)
Document signatures
Sensitive data visualization

App-to-web, out-of-band scenarios, combination of physical and digital world; these are very relevant to mobile authenticators and phone token solutions. It is very important to design the user flow properly as multiple devices are being used (usually a desktop and the mobile) as well as the overall security architecture to achieve PSD2 compliance.
As more and more services are available on mobile devices, it is getting even important to handle app-to-app scenarios. We have helped companies to design mobile app onboarding processes with native on-mobile experience as well as solutions for companies with a number of mobile apps where security flows are managed in one that is designed as a key for all other mobile apps.
This makes design and delivery of new and focused mobile apps even faster.
Few examples for secured mobile apps
Mobile app as primary interaction device with clients
Mobile devices are our everyday companion; well-designed applications can provide 100 % desktop replacement, users will like them to use and more often than the traditional desktop or web model. UX is a must but security must come along.
New interaction channels
Mobile devices come with number of extension features that make interaction on the business-client more engaging and valuable (e.g. location or action based event, interactive push notifications, advanced visualization options and many more)
Combining the physical and virtual world
We have designed mobile to be a key for online services but recent times show that our virtual and physical world need to be handled as one. So the same approach for login to online service (nicknameless and passwordless with a mobile key) need to be used in the physical world (e.g. drive-in to a garage or building, let you in to a concert, enable you boarding, get you authorisation code for vaccination or proof you were vaccinated)
Logistics and deliveries
Covid19 made significant changes to the shipment authorization process. The delivery market has multiplied several times in the last year but there have been fundamental changes in the delivery process. Customers prefer contactless delivery, so enabling remote identity verification is a key. For this purpose, the mobile key is the ideal tool to verify your identity securely, contactlessly and at no additional operating cost. The same system can be used for delivery to boxes, where the mobile key becomes a method for picking up the shipment
Key to shared economy
As you can use a mobile key to enable access to any services that are available online regardless of it is a virtual application or physical device connected to the internet; there are a number of use-cases for the shared world of cars and many other stuff. As these involve not only money transfer but also identity verification as well fraud prevention.
Open-banking and banking identity
The mobile is the key to identity federations with strategic partners. For example banks can offer the identity of their clients to third parties for identification. This enables clients a secure, fast and simple identification process in the online process.
Covid-19 have accelerated digital adoption. We believe that both web and mobile applications can provide similar levels of services, use-comfort as well as security that are especially important for services dealing with sensitive data. To enable companies and developers building new trusted web and mobile applications we have designed a framework for complete online client security and providing a number of SDKs that enable quick application development with high level of security standards.