Page 43 - Digital Financial Services security assurance framework
P. 43

that could result in failure to authenticate or poor   ii.  Trusted hardware should be used for the storage
               algorithm selection.                              of sensitive information if it is available on client
            vi. Certificate pinning is recommended to prevent    smartphones.
               replacement of certificates.                    iii. Avoid storing information in external storage and
            vii. Client devices must ensure that they correctly val-  if it is done, ensure that strong input validation is
               idate server certificates.                        performed prior to using this data.
                                                               iv. Delete confidential data from caches and mem-
                                                                 ory after it is used and avoid general exposure of
            9�3  User Authentication                             information (e.g., placing the secret key on the
                                                                 stack). Assure the clean-up of memory prior to
            i.  PINs and passwords should not be easily guess-   the application exiting.
               able and weak credentials should be disallowed;   v.  Restrict data shared with other applications
               however, users should not be forced to change     through fine-grained permissions. Minimized the
               passwords on a regular basis.                     number of permissions requested by the app and
            ii.  Multi-factor authentication before performing   ensure that the permissions correlate to function-
               financial or other sensitive functions is strongly   ality required for the app to work.
               encouraged.                                     vi. Do not hard-code sensitive information such as
            iii. Smartphone authenticator apps should be used    passwords or keys into the application source
               for sending one-time passwords rather than SMS    code.
               due to the possibility of SS7 hijacking and other   vii. Validate any input coming from the client that is
               insecurities.                                     to be stored in databases to avoid SQL injection
            iv. If biometric information is used for authentication,   attacks.
               it must be stored with appropriate security mea-
               sures such as encrypted in the Android Keystore
               or with the use of trusted hardware.            9�5  Secure Application Development

                                                               i.  Develop applications according to industry-ac-
            9�4  Secure Data Handling                            cepted secure coding practices and standards.
                                                               ii.  Assure a means of securely updating applications
            i.  Mobile devices should securely store confidential   and assure that all dependent libraries and mod-
               information, for example by using the Android     ules are secure; provide updates for these when
               KeyStore framework.                               required.
                                                               iii. Have code independently assessed and tested by
                                                                 internal or external code review teams.
































                                                                Digital Financial Services Security Assurance Framework  41
   38   39   40   41   42   43   44   45   46   47   48