Most of us use multiple apps everyday. Yet we hardly think about the complex and constantly developing security measures that go into them. Take the Numbrs app. You trust us with your finances. In return, we provide you with the best app to manage them. But in order to best manage your financial information, we have to provide you with the best app in protecting your information first. And while most would think of security as a mere question of access rights to the app or the storage place of their personal information, the quest for comprehensive security goes far beyond.
Numbrs approach on security follows a holistic system that starts with the first line of written code and reaches from the people who use the app to the people who create it, to a seamless and digital infrastructure including hundreds of banks, digital account providers and product partners, all on a global level. In other words, our security covers every possible touchpoint inside and outside of Numbrs.
An App as Strong as the People Behind it
Working for Numbrs comes with special responsibility. Regardless in which role, we are aware that our users trust us with sensitive data. As a consequence, security starts with the very moment our candidates are assessed for an open position.
As part of our hiring process, all potential candidates are interviewed with specific questions on cryptography, secure app design and more. Our thinking behind it is simple – if every engineer at Numbrs is proficient in security, our specialised security team can focus on more advanced security measures in the app. Once hired, every employee undergoes a comprehensive security training followed by a quiz. Key topics include customer data privacy, data security and phishing.
Where most companies employ a single engineer who handles security topics, Numbrs has a dedicated team of full-time in-house security engineers and professionals. These security specialists ensure that security is nested within the core of the app and all of it’s features from the very beginning. Even if this means compromising the speed of development in some cases, we never have and never will compromise on security.
Building the Safest App on the Market
At Numbrs every new feature undergoes the following steps during development – conceptualisation, design, implementation, testing and finally the release. If you’ve questioned why the step for security is missing, it’s because security is part of them all.
The real questions, when going from a concept to the design phase at Numbrs: What happens if the user places the Numbrs app in the background during a critical step? What if the user’s phone is stolen at this exact moment? What if malware is running on the device or what if someone reverse-engineered the app and is targeting our back-end? These questions and many more create a first understanding of what the design of a feature has to account for. So, needless to say, security continues into the next phase, design, seamlessly. Here our team considers possible attack scenarios targeting the bypass flows of the data, credentials, tokens, etc. as well as potential scenarios of data leak incidents that could originate from inside of the organisation.
Following the design, the implementation includes automated tooling runs in order to flag code changes in security-relevant code areas. This applies when handling credentials or performing encryption. Of course, these tests come in addition to several other automated tests. If anything raises concerns, improvements have to be made to the code.
Next comes the actual testing phase. Hereby the complete app is scrutinised. This ensures that changes to the code regarding a new feature have not impacted any other areas of the app. The testing consists of several automated tooling tests and a number of creative white-box penetration tests. These attempt to simulate sophisticated attack scenarios by someone with intimate knowledge of the app.
Lastly, there is the release. However, not a single release is delivered to users without a security sign-off. Even then, the security of the production environment is continuously monitored to identify potential misuse of the application after the release.
The Architecture Within
Think of a large house. The pedigree of its architecture isn’t just defined by its mere looks or the feeling it exerts upon entering. Great architecture is also defined by the materials it is built upon, the segmentation of space, the way it can withstand the elements, how it contains heat or retains the cold on a summer day, how it is placed in relation to the course of the sun and how it’s built with the surrounding environment in mind. Well, it’s no different with an app. In order to create a nearly careless experience for the user, the architecture of an app and the information that flows through it need to be planned meticulously.
When it comes to security, it is vital that sensitive information can only reach destinations, where it is needed. For example when you connect with your bank or with a Numbrs support specialist. While the user can connect with both – his bank and the support specialist – the support specialist can only connect with the user, not with the user’s bank. This also applies to a user’s personal information, which is stored securely on servers in Germany, configured and maintained in accordance with industry-standard practices (ISO 27001- and PCI-DSS-certified).
In order to achieve these information barriers, the back end of the Numbrs app requires the communication to be segregated and split into several separate systems, allowing information to remain in several closed off circuits. It is worth noting that this egregation of communication also applies to our testing environment, which is strictly separated from our production environment.
The data that we store is encrypted. The encryption varies from one to three levels. If such data has to be made available to our data scientists, it undergoes a process of anonymisation, stripping out names, bank account numbers, e-mail addresses, etc. to ensure that it remains protected and private to our users.
Of course we protect data in transit, too. We do this via TLS encryption (versions starting from 1.2 with secure cipher suites). We also use certificate pinning for all network connectivity between the Numbrs client application and the back-end. Hereby we pin the server certificate, not the Root CA. This prevents man-in-the-middle (MITM) attacks, despite making it more expensive for us to keep the apps updated with the latest certificates.
When it comes to making payments with the Numbrs app, we leverage banking security such as the TAN method to authorise transactions. Banks require strong customer authentication when payments are made, and this cannot be bypassed, even by Numbrs. This authentication may be initiated through an SMS message or push notification directly to the user’s phone. Some banks also send their customers a small device called a TAN generator.
While this step may seem tedious at first glance it is a reassurance to the user – Numbrs cannot perform payments on the user’s behalf. Even if a user’s credentials should be compromised, a payment in higher amounts can not be performed. A TAN is always required.
Certified and Fully GDPR Compliant
The trust of our users is our most valuable asset. So it goes without saying that you shouldn’t take our word for all of the above. In fact, for this reason we continuously seek out independent specialist organisations and bodies to assess our app and its technologies on data privacy and security. In addition to our several certifications and trusted seals by independent auditors and leading security specialists we are also fully compliant with the demanding EU General Data Privacy Regulation (GDPR).
The result comes at no surprise: in the last six years, no test has uncovered any critical data vulnerability or non-conformities in our organisational structure. This means that users and their data have never been at risk. Well done, Numbrs.
Find more information in our blog posts section on our latest security certificates and our full compliance with GDPR.
If you are interested in working for Numbrs please visit our career page for open positions.
If you are looking for a smart, simple and secure multibanking app download Numbrs from the Apple App Store or the Google Play Store. It is available for iOS as well as Android and comes for free on both systems