Field of the Invention
One aspect of the present invention relates to secure authentication in mobile applications, particularly, but not exclusively, for use in banking applications.
Description of the Related Art
Banking applications execute on consumers' mobile communication devices for communication with a banking application server provided by a banking institution. Banking applications provide functionality on mobile communication devices to carry out banking actions and instructions by communication with the banking application server.
Banking applications usually run inside a sandbox on the operating system of the mobile communication device in order to secure the banking application as a separately running application with tightly controlled resources including its own protected memory space with its own data stores.
Additional security authentication is known to be provided by authentication software development kids (SDKs) to embed authentication technology into banking applications.
Such authentication SDKs may use a private key associated with the SDK and enable multi-factor authentication. The private key of the SDK providing the “something I have” factor while a login required by the banking application constitutes the “something I know” factor.
Authentication SDKs also provide out-of-band authentication as communication between a secure gateway, a Federal Information Processing Standard (FIPS) 140-2 hardware device having a cryptography module, and the authentication SDK on the mobile communication device does not use the mobile communication device's cryptography. The channel is completely separate from the mobile communication device's secure sockets layer (SSL), or any SSL that might be implemented natively by the banking application, thereby negating any attacks on the transport layer itself.
However, an authentication SDK typically runs inside the same sandbox as the banking application. This raises the potential security problem that if an attacker were to discover a vulnerability in either the authentication SDK or the banking application, they might potentially be able to compromise the solution.
It would accordingly be beneficial to address this potential problem.