ITU-T Focus Group Digital Financial Services
                                                      Recommendations







                Title of recommendation       DFS application security
                Working Group                 Technology, Innovation and Competition

                Workstream                    Security
                Audience for recommendation   App developers, DFS providers





                App developers should ensure that DFS applications are designed and implemented in accordance with industry
                and Standards Setting Bodies (SSB) best practices for secure software development, including encrypted and
                authenticated communication and secure coding practices.

               DFS app developers should make use of hardware and software features within mobile devices that enhance
               security such as secure elements and trusted execution environments for ensuring device integrity. While
               such mechanisms are made available at the level of the operating system and may provide APIs for usage, it
               is often the responsibility of the app developer to ensure that the apps themselves leverage these features.

               The use of best practices should additionally extend to software embedded in third party systems and
               web pages for communication with mobile money systems. Strong encryption should be employed for both
               data protection within the app and for communication with back-end services, and it is important that such
               mechanisms are used in all appropriate locations within the app. Such apps should also be designed to be
               resilient against denial-of-service attacks.

               DFS providers should ensure that DFS apps are subject to external security review and penetration testing,
               and any recommendations should be acted upon. Applications should be designed to be robust against
               phishing software, and should guide customers to access and download applications through official channels
               to mitigate the risk of running code that is infected with malware.
               App developers should ensure that apps securely manage customer credentials, and should use strong
               authentication mechanisms to protect against unauthorized access. Default usernames and passwords
               should be removed or reset so that an adversary cannot easily guess credentials.




































                28