5

What is safer to use (in general terms), online banking software using the mobile app or using a browser on a desktop OS?

I suppose that a mobile app, provided by the bank on a mobile OS seems is harder to manipulate then a website in a browser on a desktop OS (more factors).

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • In my experience, more investment seems to go into fixing bugs/improving the web experience than the mobile for online banks. – Robert Fraser Nov 05 '16 at 23:55

3 Answers3

4

This is a very open ended question, as it depends on what bank, what OS, and potentially even what hardware.

Some banks are vigorous about the login process and password recovery, others put more value in convenience.

Some smartphone manufacturers are diligent about distributing security updates, but others are very careless and/or have spread themselves too thinly with too many models to maintain.

Some operating systems have a lot more malware "in the wild" and are more prone to user error, others are more locked down by default, and have more thorough checking within official software sources.

Some hardware was manufactured with vulnerabilities, such as with the rowhammer exploit that was discovered to work on smartphones, recently.

There's no binary answer; either could be insecure, depending on the context. It's best to avoid falling into a false sense of security by giving a one-size-fits-all answer. You need to carefully review the security of the routine you're using, and increase it where there are vulnerabilities.

infinite-etcetera
  • 760
  • 1
  • 5
  • 10
1

Personally, for things like banking I trust Android and iOS more than any desktop environment. I'm not an expert in this field, but my understanding is than even if all the bank does is wrap their website into an app and put it on the app store, you're automatically gaining the following security protections over a desktop browser:

  • Immune to Cross-Site-Scripting (XSS) and phishing since you only do your banking through the app and there is no way to navigate the app to a malicious URL.
  • There's no risk of you accidentally letting the browser remember your password.
  • It's fairly easy to silently plant a keylogger in Windows / MacOSX / Linux, but is significantly harder to do on an unrooted Android / iOS device.
  • Any data the app caches is safely protected within the app's sandbox (no other app can access it).
  • Physical theft: mobile devices have good protections against someone trying to brute-force the lock screen or extract the hard drive. They also have remote-wipe. Laptops, not so much.
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Technically, can't a custom Android (and iOS?) keyboard someone might install act as a keylogger? – Alexander O'Mara Nov 06 '16 at 04:01
  • @AlexanderO'Mara Yes. You can also install something as an MDM for parental or corporate surveillance. I guess I should have added "...harder to do on an unrooted Android without the user clicking Yes to something, and it showing up in the app list". – Mike Ounsworth Nov 06 '16 at 12:54
  • How exactly does running in an app prevent Cross-Site-Scripting? Simply wrapping a site into an app would include wrapping all XSS vulnerabilities as well. Such an app would be another instantiatiation of a web browser. – misiu_mp Feb 23 '17 at 11:37
  • @misiu_mp My experience with banking apps is that they are not HTML, but an Android / iOS app that talks directly to the web services / REST APIs at the bank. Maybe I'm wrong, but that seems like it would be immune to HTML-based XSS since most of those rely on getting the browser to execute javascript, and there is no javascript in a native Android / iOS GUI. – Mike Ounsworth Feb 24 '17 at 14:06
1

In general, I would propose that using a popular browser on either a desktop or mobile is at least as secure as using a mobile app. My thinking here is that the popular browsers have ironed out the security bugs long ago, and since they are used by many people (for example over 1 billion people use Chrome), any new security vulnerability that is discovered would be updated very quickly. Mobile apps are typically unique to each bank, so their user base is much smaller and they are more likely to have an unpatched security vulnerability than a browser would. Let's hope it doesn't make a difference, but if you're paranoid I'd lean towards using a browser.

TTT
  • 9,122
  • 4
  • 19
  • 31
  • Browsers are secure, yes, but what about the desktop environments they are running in? For example, the browser has no control over whether or not a keylogger is running in the OS. Android and iOS were designed from the ground-up to be anti-malware. – Mike Ounsworth Nov 06 '16 at 01:56
  • @MikeOunsworth - that's true, but can't you have a keylogger running on your mobile too? – TTT Nov 06 '16 at 02:03
  • My understanding of the architecture of Android and iOS is that that's fairly hard to do without the user clicking Yes to some scary-looking prompts first. – Mike Ounsworth Nov 06 '16 at 02:09
  • @MikeOunsworth - I just read the link you provided in your answer- that's good information. I'm not sure what's more likely: that you would accidentally install a keylogger on your desktop environment, or that a random bank's mobile app would have a security vulnerability in it. Maybe it comes down to your expertise level- if you're the type of person that is always getting random viruses on your machine, then use a mobile app. If you're tech savvy and never get viruses, use the browser... heh. – TTT Nov 06 '16 at 02:14
  • I think the question you should be asking is "what's more likely: getting a keylogger in a desktop environment (btw this is 100% for me because both Win10 and Razer drivers upload telemetry), or that somebody can _successfully exploit_ a vulnerability in a mobile app". And as for the idea that skill can protect you from malware, well, clearly you're not a security professional. – Mike Ounsworth Nov 06 '16 at 02:29
  • @MikeOunsworth - I'm not claiming that skill can absolutely protect you from malware (especially if you are specifically targeted), but it's probably the case that skill can help prevent from getting most of the malware people get from clicking on the wrong thing. My overall point is that for the tech savvy person, it's more likely that a security vulnerability exists in software they are using than it is to have a key logger installed on their machine. And of the two main software types we're discussing, I'm proposing a mobile app is more likely to have a flaw than a popular browser. – TTT Nov 06 '16 at 05:44