Open Banking is a brand new, secure way for consumers including small businesses to share information, allowing new and existing companies to offer super-fast payment methods and innovative banking products.
Due to the fintech revolution caused by Open Banking which was adopted in the United Kingdom as a result of the implementation of the Revised Payment Services Directive (PSD2) which unleashed a transformation in how financial services organisations view themselves, and each other in Europe, consumers, the banking industry and the regulators agree that mobile banking as a standard will be fantastic for carrying out open banking transactions, however there are concerns about the security.
Security is the key to win the trust of the customers that will engage with this application and the main aspect of security is the channel where the mobile banking gets exposed to external systems/user which is Application Programming Interface (API) which allows every component to work together seamlessly.Â
This research will be looking at open banking on mobile application from different stakeholderâs perspectives to ensure a robust security architecture design.
This technology opens the way to new products and services help end users like customers and small to medium-size businesses to get a better deal by giving them a clearer and better understanding of their accounts and makes recommendations on customer spending. This involves customers giving explicit permission for the third party to have access to their financial data. Customers have the comfort to monitor and control their spending using the open banking application on their mobile devices. Open banking can go beyond intermediating and dis-intermediating of banks to provide a legislative mandate for more open data between the financial services Organisation.
This research is set out to investigate the design & security challenges for mobile applications within the financial services in particular Open Banking application, assess the security elements for mobile banking APIâs in Open Banking application. This work will also look into Open Banking application installed on IOS and Android devices to understand the threats and vulnerabilities of Open Banking architecture and its application in mobile banking. This project involves the design of a more secure open banking architecture.
According to âopenbanking.org â meet the regulated providers 2019â, there is over 90 regulated API provider, this includes third party and Account providers . This list keeps increasing creating more challenges for Open Banking. We will be looking at challenges from all stakeholders point of view in order to carry out a proper assessment.
Area of study
Area of study
The future of financial services is under pressure from profound digital disruption. Across the globe, there are forces, both regulatory and customer-led, that opens up the market to new entrants and disrupt what customers are buying â and how. The advent of Open Banking is one major influence, with Open APIs paving the way for third-party developers to build applications and services independently. PSD2 drives the intermediating and dis-intermediating of banks to provide a legislative mandate for more open data between the financial services organisation.
Banks must provide access to certain customer information and understanding the type of data that will be shared, how the data will be secured is vital to the implementation of open banking overall but since this project is looking at open banking application on IOS and Android mobile device, we will be looking at the top issues facing mobile application security, this will include; Physical Security, Secure Data Storage (on disk), Strong Authentication with poor keyboard, Multiple-user support with security, Safe browsing environment, secure operating systems, Application Isolation, Information disclosure, Virus, Worms, Trojan, Spyware and Malware attacks, Difficult Patching / Update Process, Strict use and enforcement of SSL, Phishing, Cross-site request forgery (CSRF) , Location privacy / Security, Insecure Device Driver, Multifactor Authentication.Â
In Mobile application banking, there are many ongoing research work and systems development with the primary objectives of improving customer experience and security, however, this is not the case for Open banking application on mobile devices. In order to analyze and design a more secure system for open banking on mobile devices (IOS, Windows & Android), this area of study will drill into the interfaces between open banking application and mobile devices (IOS, Windows & Android) to carry out at different stages; Threat & Vulnerability assessment, risk assessment and understanding the requirements that governs them, i.e. Rules for Composing Rules (RCR), Model Policy Architecture, Unified Rules Model â URM; Unified Information Model- UIM and Risk-Based Approach .
The security analysis and assessment findings with review criteria as well as proffered remediation actions needed for the Open Banking systems to be more secure will be documented to develop a security design to cover security and regulatory expectations of the banking / financial industry.
Programme of work
These are some challenges that are currently being faced within the financial services hosting and delivering applications for mobile banking.Â
Many organisations within the financial services maintain legacy systems and the integration of new technology will put a strain on their IT and workforce.
Programme of work
Banks need to both offer their services for consumption by external third-parties, but also think about how to use third-party services for their own offerings. The banks will not only astutely open their own systems for others to consume, but also look at how to innovate and enrich their services by using other organizationâs APIâs.
Risks of Open Banking applications installed on Jailbroken IOS devices. Rooting or jailbreaking a mobile device circumvents any encryption protections which leaves the mobile device vulnerable.
Malicious applications installed on Android devices to could exploit Open Banking applications. Attack vectors could include a malicious application that has been installed on a device, physical access to the device, or reviewing the application for other vulnerabilities . Â Â
Three high-level components to consider for Open Banking application on Android devices will be Application container, Communications and Internet Server. A full vulnerability, threat modelling and a risk register through to risk treatment and residual risks will be carried out.
This research will describe the most critical risk in Open Banking application on mobile devices, similar to the OWASP Mobile top ten risks. We will briefly review the OWASP top 10 final list
In order to find suitable solutions to the challenges above with more emphasis on the OWASP top 10 mobile risks and also;
Understand the integration layer and Analyze the Open Banking APIâs design
Perform and analyse jailbreak for IOS devices to show threats & vulnerabilitiesÂ
Analyze the Android security model and rooting
Recognise the type of mobile malware and anti-malware options
Identify web browser services and attacks on mobile platforms and recommend countermeasures 
Analyse security measures such as encryption, strong customer authentication, and auditing to keep financial transactions and information secure during Open Banking transactions.
This project will not only look into the risk on the Open Banking mobile end-user data and devices but also the server-side vulnerabilities. Although server-side vulnerabilities pose the greatest risk to mobile application deployments as a whole because they can expose unrestricted access to back end systems, these issues are well documented and understood .
This project is planned to be completed in August 2019. The following table shows the timeline for completion of the research tasks and chapter publication for supervisor review.
For a structured presentation of this research work (i.e. dissertation), the following main headings - chapters and sub-headings will be maintained:
1.1What is Open BankingÂ
1.2Open Banking Architecture and Mobile Banking at a Glance.Â
1.3Overview of dissertation chapters.
2.0Motivation and Background
3.0Security Challenges in Mobile Application Banking
3.1IOS Security Challenges
3.2Android Security Challenges
3.3Mobile Application Banking Security Challenges
3.4Open Banking Architecture and Design
3.5Open Banking APIâs
4.0Case Study Review
5.5Threats to Open Banking Architecture
7.0Mobile Application (Open Banking) Security Analysis
Ethical, Legal, Social, and Professional Issues
This is a green area in mobile banking, therefore, systems and security assessment, testing and other related activities that will be covered for this engagement will be carried-out using test data.Â
In order to analyse the Open banking architecture, there is no need for personal identifiable (PII) data or the use of any sensitive information, therefore, ethical consideration or clearance is not required.