Are Mobile Banking Apps as safe as banking via a PC browser?

GrahamLM52

My partner likes to manage our finances on a PC via a browser at home.

She is convinced that banking apps downloaded to a Smartphone or Tablet are much less secure than a PC browser. She does not like the idea of "carrying around all our financial information on a phone".

I've tried to convince her that provided she is logged into our Home Network, uses a good password and app log-in then an app supplied by our bank is just as safe as using a PC browser. She is not convinced.

Are there any App-Savvy techies out there that can confirm my belief (and convince my partner) that Mobile Banking Apps used properly on a Home Network are as secure as a PC browser?

Murmansk

Phone is more secure. You aren't carrying around all your financial info on a phone - you're carrying around the capacity to connect to the Internet and access your bank's systems. If you take appropriate measures to secure the phone it'll be as or more secure than the PC

k_man

It depends....

But an up to date mobile (not rooted) with a screen lock (that isn't 1234, 0000 etc) and only apps installed from official stores, is more secure than a PC where the user runs as an administrator all the time (most home PCs).

Also data access from a mobile via mobile data is considered secure, so not just home network access.

And depending how secure other devices at home are (PC with risk of malware... weak router security), mobile data could well be more secure.

Most sensitive apps now also use Https (encrypted traffic), so even public WiFi isn't the risk it once was.

Olinda99

Apps are much more more secure than a  generic browser - Chrome, Edge or whatever.

Banking apps are a 'walled garden' - bullet proof - nothing can attack them.

Browsers are general purpose, they are (to be fair) also pretty secure but multi-purpose and thus not as secure as a dedicated app.

Summary: I wouldn't trust a laptop / desktop running Windows and a browser as far as I could throw it. Most secure option: using a banking app over mobile network (ie not home network)

Chino

Olinda99 said:

Banking apps are a 'walled garden' - bullet proof - nothing can attack them.

The things one reads on the Internet.

Olinda99

No amount of reading will influence a closed mind.

KxMx

I don't use mobile banking on a phone, instead I use it on my tablet which never leaves my home.

400ixl

Olinda99 said:

No amount of reading will influence a closed mind.

Clearly.

Mobile apps are not walled gardens or bullet proof. Many use the same HTML presentation layer as their web based counterparts (just formatted for a different screen) and the same API's to access data with the exact same security wrap.

The attack vector at the client end is likely to be smaller as it is not using a multi purpose browser, but it still runs on an OS which itself could have exploits.

When out and about you shouldn't use mobile banking apps if you are on an untrusted wifi network without using a VPN, a bit safer on a mobile provider network (but even then it could be a man in the middle attack, just far less likely). 

If you take practical steps then both are suitable for their purpose.

Olinda99

of course you can use mobile banking apps on an unencrypted wifi in Starbucks or wherever.

The app talks to the server using  256 AES encryption. You don't need a vpn which in any case just masks your IP address.

There is no attack vector to a banking app (android or IOS) - there are however plenty of keyloggers etc when using banking on a desktop using Chrome though.

[Deleted User]

Hackers don't break into bank accounts by breaking the security measures, they log into them with the same details as the user.

The security of banking whether via apps or internet browsers is virtually impenetrable. The data transmitted between your device and the bank is encrypted to a level that is nearly impossible to crack. The login methods are near impossible to brute force or hack.

The ways hackers steal money from bank accounts are much easier than trying to attack the security measures, instead, it is mostly one of the following.

1. Social engineering - pretending to be somebody from the bank, a technical helpline or friend and persuading the user to carry out actions such as revealing their user credentials or transferring money.
   
   
2. Phishing - fake websites/apps - getting the user to go to a fake website or app and enter their user details or bank card.
   
   
3. SIM swapping - getting access to your mobile provider, getting a new SIM sent to a different address and using the 2FA codes to access your account - requires some of your banking details gleaned from one of the above.
   
   
4. Malware/keyloggers - users inadvertently download dodgy software/apps that record keystrokes on the device or use unsupported software and operating systems that are vulnerable to malware. 
5. Man in the middle attacks - usually from using public WiFi or unsafe networks. Somebody intercepts traffic between your device and the banking website. 

So using an app or browser makes no real difference for the above - the user themselves are the weakest link, not the security of online banking systems.

400ixl

Olinda99 said:

of course you can use mobile banking apps on an unencrypted wifi in Starbucks or wherever.

The app talks to the server using  256 AES encryption. You don't need a vpn which in any case just masks your IP address.

There is no attack vector to a banking app (android or IOS) - there are however plenty of keyloggers etc when using banking on a desktop using Chrome though.

You clearly do not understand man in the middle attacks and SSL proxies. VPN's do not just mask your IP address, they create a point to point tunnel which subvert many man in the middle attack.

The server will talk SSL with whatever connects to it, that doesn't mean it is not a proxy in the middle which then creates its own SSL connection with the app and can read everything that goes through it.

How do you know that wifi named Starbucks is actually the starbucks router and not a portable router more powerful signal from the person sat at the next table to you (and therefore the one your phone will see and connect to)?

Caveat: This is rare, but is a risk and a reason you should only use banking apps via a VPN if on an open wifi. It is much harder to spoof a mobile network so even rarer there, but still worth using a VPN for banking apps.

There are zero day exploits created every day which could compromise both Android and iOS, there are also malware apps which can install keyboard loggers on mobile apps.

As I say, the mobile app and the web app will also share a lot of back end connectivity which is equally compromisable across both platforms.

If you do not understand the technology you are talking about then please don't make such fundamental statements.