Security Best Practices for Financial Apps
As of June 2022, more Americans are living paycheck-to-paycheck than ever before, according to recently published research – meaning that they spend all of the current month’s income before receiving the next month’s. In the last six months, an estimated 13% of Americans spent more than they earned, and average savings across the country are down overall.
While all of these things sound like bad news with a clear correlation to high inflation in today’s markets, they provide a unique setting for the growth of fintech, particularly in the realm of personal financial management (PFM) apps. This category of app has been around for quite awhile but is becoming increasingly popular as more and more people are willing to break away from traditional banking and finance methods and recognize the benefits PFM apps can offer them. Today’s market is ripe for applications that help people manage and build their wealth, earn rewards on purchases they’re already making, and dive into long-term financial planning.
Financial apps like the kinds mentioned above require access to users’ financial information in order to be effective – they cannot exist without that data. And although users are more open to sharing their sensitive financial data with apps that they believe can benefit them, users also care deeply about their privacy and keeping their data secure. They’re willing to share the data as long as there’s guarantee it will remain safe and within the perimeters they’ve given permission for it to be used.
This post will discuss some specific ways developers can and should incorporate stringent security measures into their financial apps in order to protect their users, and ultimately their products and services. For more on this topic, you can read prior blog posts touching on security here and here.
Keeping data secure can seem like a daunting task, especially in light of all the data breaches occurring with even large, established companies. But there are some straightforward guidelines that you can incorporate from the very beginning that will go a long way in the development and success of your app:
- Never store your users’ passwords.
But if you absolutely have to, make sure they’re hashed. Hashed passwords have been put through a hashing algorithm that makes the password completely unintelligible. This is different from encrypting, which simply scrambles the passwords. Hashing is a much stronger way of keeping passwords secure since the process for decoding is different for every single password that’s gone through the algorithm. It would be better, however, to simply NOT store passwords to begin with.
- Apply the principle of least-privilege to all access.
This means that users, both internal (like employees) and external, can only access the information that they need in order to do the job they’re supposed to do. All other data that is not essential to the task should be blocked from being accessed.
- At the very least, use SSL encryption for data.
SSL (Secure Socket Layer) encryption should be the absolute lowest standard applied to the data sent and received in your app. There are higher level standards now, though, that are probably better for your app. You should regularly check the cipher suite algorithms to make sure they’re the most secure ones available.
- Never, ever have a database or server without a firewall.
A network security system that monitors and controls access to a database or service (depending on certain predetermined rules), a firewall is really your first line of defense against online attacks or data breaches. If your app has a database or stores data on a server (which it will), you absolutely need to configure a firewall to keep the information secure.
- Don’t save card and account numbers.
Most likely users will need to input a credit or debit card number or another payment method to your app. You should never save any of those details since having it stored somewhere within your control makes it more vulnerable to being stolen. The last thing you want for your app is for it to become the source of theft. The less data you store, the less chance it can be infiltrated.
- Don’t send users’ credit card numbers over the network.
Even though you could create your own form to collect payments from your users, it’s a bad idea. Using your own forms instead of the forms of a reliable payment network puts your users’ credit card numbers at a much greater risk. Even though it requires an extra step, you should only utilize the payment forms provided by reliable third parties payment networks.
- Don’t store user data that you don’t need.
Apps have the capability of tracking and accumulating a lot of data about their users. A lot of that data can be extremely useful for analyzing your services and giving users more personalized experiences. But any data that you’ve collected and end up not actually needing, or data that you don’t need anymore, should not be stored in your databases or server.
- Choose partners and service providers wisely.
You’ll probably choose to partner with B2Bs that will help your app do what it’s meant to do (for example, a data aggregator company that connects you to financial data). But not all partners are worth your time or money. Be sure to carefully vet whoever you choose to bring on board, and then commit to reviewing at least twice a year the risk those partners create so that you can identify if/when your app should find a new service provider.
- Get periodic scans and penetration tests for your infrastructure.
These scans and tests will help you identify where your systems are vulnerable, and you want both manual and automated testing to get the fullest scope of potential weaknesses so that you can always be working to bolster your app’s security. Remember, since technology is ever evolving, you need to regularly schedule these tests to stay up to date and not get blindsided by something.
- Document every procedure.
Your app’s security can’t be an afterthought; it needs to be incorporated into every aspect of its development and lifetime. Everything that you do in the name of security should be written down somewhere so that it can be reviewed and provide verification in case of an audit. Information about your app’s security should always be available for both users and auditors.
If you choose to follow these ten practices for your app, you’ll go a long way in keeping your users’ data secure and also ensure the ongoing legitimacy of the financial services your app is built to provide.
Security with Pentadata
As a provider of financial data, Pentadata takes security and privacy extremely seriously. We believe that providing the most diverse possible range of data access is as important as keeping that data secure. If you choose to partner with Pentadata to provide financial data for your app, you can be assured that we follow all of the principles we’ve listed above. Not only that, we also do security scans, penetration tests, and are SOC2 compliant, so we can help you build those things into your app as well. We know that financial data is extremely powerful to make a positive difference in people’s lives through financial apps, but only if it can be kept secure.
Contact us today to learn more about security or talk about partnering with us to access financial data for your app.