HKCERT and PISA Urge for Enhanced Transaction Security in Mobile Apps

Mobile apps owners and developers should apply transmission encryption (SSL), validate digital certificates and use certificate authentication technology to prevent hackers from stealing app users’ sensitive personal and transaction data, urged the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of the Hong Kong Productivity Council (HKPC) and the Professional Information Security Association (PISA).

The advice came as a HKCERT-PISA study of 130 Hong Kong online transaction service apps commonly used locally found that over one-third of them lack adequate encryption security in processing credential or transaction data, and are vulnerable to hacking attackers. The “Study on Transaction Security of Mobile Apps in Hong Kong” was conducted between April and July this year,

Commenting on the findings, Mr Wilson Wong, General Manager (IT Industry Development) of HKPC, said, “The rapid growth in popularity of mobile apps and the availability of Wi-Fi technology has led to more sensitive and transaction data being transmitted in open environment. The industry should step up encryption security in data transmission to plug the vulnerabilities.”

The Study found that 34% of the mobile apps tested did not apply SSL or validate the digital certificate used in encryption. Analysis into the seven types of services offered by these apps revealed that digital wallet/payment service and mobile banking apps feature better encryption security, with over 87% attaining “secure” and “most secure” grading. The transaction security of cinema ticketing and online food ordering apps was in the medium level. Over half of the financial securities, online shopping/group buy and travel booking service apps tested were found to be “vulnerable”, or even “serious”, with no encryption at all.

Fig 1. Level distribution of 130 Apps

Fig 2. Distribution of Mobile Apps by Services

Mr Eric Fan, Chairperson of PISA, said, “If a mobile app does not validate the digital certificate, fraudsters can set up a fake Wi-Fi access point and use fake certificates to seize and modify the data transmitted. This will inflict serious data and financial losses on apps users.”

Offering security advice to the community, Mr Wong said, “Mobile app users should not use public Wi-Fi networks to transmit sensitive data. If having doubts about the apps’ security, they should use mobile browsers that can provide visual cues to the validity of the digital certificates, or use mobile data network for the transactions. Also, they must not install unsolicited software or digital certificates on their mobile devices. Mobile apps owners and developers, on the other hand, must properly encrypt the data transmitted between the apps and backend servers, ensure the apps to validate the digital certificates, and apply certificate authentication technology.”

In addition to the Study, HKCERT and PISA have compiled the “Best Practice Guide (SSL Implementation) for Mobile App Development” to help apps owners and developers to improve apps security. It is now available for download from the HKCERT website (/my_url/guideline/15091401). Furthermore, they can make use of HKPC’s mobile app SSL security assessment service.

Fig 3. Mr Wilson Wong, General Manager (IT Industry Development) of HKPC (centre); Mr Leung Siu-Cheong, Senior Consultant of HKCERT (left); and Mr Eric Fan, Chairperson of PISA, present the findings of the “Study on Transaction Security of Mobile Apps in Hong Kong” and make recommendations on the transaction security of mobile apps.