Well, to answer the question in the middle of this, “How do you know whether your app is using https or not?”
The bad news is you don’t.
And there’s no way to tell which technique a mobile app on an iPad or an iPhone, or on an Android device may use to confirm that it’s using secure connections.
Become a Patron of Ask Leo! and go ad-free!
A while back, I was concerned with this very issue with my Google mail app which I use extensively on my portable devices.
I actually set up a scenario where I had a packet sniffer on a different computer so that I could actually watch the low-level packets go by – and I was able to confirm that the Google mail app on my Android phone (at the time) was using a secure connection to transmit data to and from my device.
I did not confirm for every possible application. It’s just not feasible to do that, but I at least wanted to make sure that that one was doing it right.
By now, most banks should know to use https or an equivalent secured encrypted connection, be it in a web browser or an application.
The key words being most “should.”
Does yours? I don’t know.
If they tell you that they do, can you confirm it? Not really.
So, in my case, I elect to trust my bank and assume that they are indeed using a secure connection on the application. For the bank, the negative repercussions of being found out if they weren’t using a secure connection would be significantly bad PR.
So I have to assume that they are at least scared enough of the public relations issue that they’re at least attempting to do the right thing. But is there a way for you and me to tell? Nope.
7 comments on “Is it safe to use a mobile banking app over an open Wi-Fi connection?”
I suggest using an encrypted VPN if you are worried about security. They encrypt all the traffic, regardless of the application.
Even if a tablet/smartphone app is using SSL that does not mean it is being used correctly. Lots can go wrong and a couple studies have shown that it does go wrong. App developers make some brutal mistakes.
A VPN is a good idea but not perfect. While it should protect you from snoops in your immediate vicinity, the VPNs available to consumers do not offer end to end encryption. I have tried using a VPN on both Android 2.3 and 4 and its a big pain. I ran into assorted coding errors by Google that my VPN provider had to work around. And on Android 2.3 it required entering two passwords to make a connection.
In contrast VPNs on iOS worked great for me.
I agree with Leo – just use the bank’s app and don’t worry. If something does go wrong and you lose money, the bank has to repay you anyway, so it’s their risk, not yours.
True, Daniel, but how much time does it take the bank to sort out whether it’s their problem or your problem and then reimburse you. Can you afford to be out of money for that period of time?
An ounce of prevention is better than a pound of cure.
Greetings, I have a question. If you have google chrome on your mobile phone and for example 9gag app, does your 9gag links you browsed appear in google chrome history? Are google chrome and 9gag app connected?
I don’t know. They could be. Why not experiment and find out?
Yes you can tell whether a Secure Socket Layer (SSL) has been enabled and how good that encryption is. This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet: https://www.ssllabs.com/ssltest/index.html