Are smartphone banking apps safe?
"I'VE noticed a number of unauthorised banking apps available to download from the Android marketplace. Are they safe to use?"
In many ways, banking on a smartphone isn't very different from accessing an online banking site on a computer.
And, in fact, with an unauthorised banking app that's more or less precisely what you're doing: the app is just a stored landing page squeezed to fit a mobile screen more comfortably.
However, financial providers advise their customers against using unauthorised apps and many official smartphone banking downloads are a little different to the provider's main site.
Since we first wrote this article several years ago, all of the major banks have released official apps and unauthorised apps have become less of a problem.
Nevertheless, in this article we look at the dangers of any unauthorised banking apps you may come across, and how they differ from official apps.
Official banking apps
All of the major banks and credit card providers now have authorised apps.
- Amex available for iPhone and Android
- Barclays for iPhone and Android
- Co-operative Bank for iPhone, Android and Blackberry
- First Direct: available for iPhone, Android and Blackberry
- HSBC: available for iPhone and Android
- Lloyds Bank: available for Android, iPhone and Blackberry
- Natwest: available for Android, iPhone and Blackberry
- RBS: available for Android, iPhone and Blackberry
- Danske Bank: available for Android and iPhone
When we first wrote this article a couple of years ago there were only two or three banks offering apps.
Even now, you can see that not everyone has caught up and that the banks that are offering apps haven't made them available for all the major operating systems.
In addition, not all of these apps offer the full online banking service you might enjoy when you normally log on to bank online.
For example, the First Direct app only offers a real time balance and mini-statement service, rather than all of the full statements and money transfer services.
The service does allow users to top-up their mobile phone automatically from the account, however.
Unofficial apps: the risks
So if you're looking for a fuller mobile banking service on the go or your financial provider doesn't offer an official app, that leaves you with the unofficial ones.
What are the risks?
We spoke to Claus Villumsen, mobile security expert at BullGuard.
"It is not very hard to spoof a bank page and make it appear legit through a 3rd party application," he told us.
"Until my bank could offer me banking software which I can download securely from their website, 3rd party banking apps were, are and will be a no-go and deal-breaker for me."
Graham Cluley, a Senior technology consultant at Sophos agreed.
"Although I am sure there are well-intentioned individuals who have developed apps to help with online banking, there are also plenty of bad guys who would love to exploit opportunities like this to fill their own pockets," he told us.
Many 'applications' created for Apple, Nokia, Google, Android or BlackBerry devices are simply a bookmark to the bank's own login page but security experts warn that developers with malicious intent could use those applications to harvest user credentials.
Even when the app was created in good faith, other developers could download it, inject their own code and distribute it as the genuine app.
What do the banks say?
That threat is also reflected in the advice of the banks.
When we showed them examples of third party apps available for consumers to access their online banking sites Nationwide said that they, "strongly advise against the use of any unsupported apps to access Internet Banking."
HSBC also told us that they "would not recommend customers use [these apps]."
However, banks are necessarily cautious on these subjects and, least we forget, there is an element of self-interest in their comments too: not only do they want to preclude any possibility of losing money from fraudulent banking applications, they'll have an eye to their own official applications, when they're inevitably launched.
Worth the risk?
But what about the 'well-intentioned individuals' creating these handy apps?
Richard Nash of Tn1Designs, which makes several banking applications available to consumers on Android Market, might just be one of them.
He told us that the apps were as safe as the banks' sites:
"The application stores absolutely no data. The site that people use within the app is the official site of the bank... it's as safe as the banks have made it."
Nash was quick to point out, however, that users have legitimate concerns about using banking apps.
He added that Tn1Designs have contacted all the banks involved but have yet to receive a response.
As we update this article in July 2012, we note that the apps are still available and still unauthorised: unsurprisingly given that even huge account aggregators like Lovemoney haven't been able to get the banks to endorse them.
"I would be happy to submit the source files to the banks for further testing if they are interested... We understand that the banks are extremely busy so this might take a while."
Meanwhile, though, app-happy consumers continue to put themselves at risk by downloading unauthorised banking applications.
"It's all very well banks saying that they don't endorse unsupported apps but consumers are clearly keen to keep track of their personal finances on the go," commented Lyndsey Burton, founder of Choose.
"Until banks and credit card providers either release their own official apps or endorse the work of well-intentioned developers who have already created useful apps, consumers are likely to continue to put their finances at risk."