I don’t think it’s any less secure if it is encrypted and locked in a way that a casual thief won’t bother trying to unlock.
I clicked on a few and they all mentioned “unauthorized activity” without specifying that they only cover fraud from desktop computers. Besides, I still see no difference – whether browser or app, one still has to log in. How is an app any less secure?
I’ll happily agree when you show me the app’s source code, which is available for browsers that I use.
Uh, why don’t you prove the apps are at least as secure as the browser? How, you say? See above.
Have you Wiresharked a connection from your phone while running the app?
I don’t use the app, but I was speaking in general about any apps from large financial institutions. What’s the point of getting a network trace? Anything interesting would be over TLS.
Why not?
If I only used one FI, maybe I would. But I use many, each FI has its own app and the phone’s input/output devices are less efficient than my desktop PC, and I don’t want to spend all day doing what I need to do. Every now and then I use a phone app for check deposits mostly because it’s faster than scanning and photoshopping, but also because those FIs do not support check deposits with a browser.
That’s okay, but how then can you prove the app is as secure as the browser?
My understanding is that onenote’s problem isn’t this particular app, it’s the fact that the FI is not giving him a choice to block their app. I was generally speaking of apps from large financial institutions, as I already explained.
That may have been your understanding, but what you said was
I want to know how you can demonstrate that the app is as secure as the browser, as I already asked.
From a software security standpoint – I cannot, as that would require a security audit. Just have to trust that a large FI would do it right. I did say “assuming it’s well-written” in my post.
From a logon security standpoint, I explained above the line you quoted – the logon process for the app is the same as for the browser; desktop computers with browsers are more likely to be hacked than a mobile phone; ergo app is more secure.
Speaking of security at Alliant credit union, I received an email today about tips to avoid wiring transfer fraud. It is pretty good. If you are a member, look for it in your email.
Exactly. I prefer a browser from a desktop machine, and do not use FI apps.
Yes, and I bet you assume they take privacy and security very seriously 
Before closing the account, make sure it’s not your funding/receiving bank with Treasury Direct.
It looks like bill pay checks are going out of Sioux Falls, SD now instead of Pasadena, CA - I cant make out the new processor name on the check image.
Alliant works just fine for me and I use the app, particularly the deposit feature where one can deposit checks by photo, which is convenient. It saves time and money. No visit to the bank. The savings rate is now 1.6% and the Visa card pays 2.5% rewards, which rewards I deposit into checking, I pay most non credit card paid bills and transfers direct from Alliant Savings (there was a 6 withdrawal per month limit, waived during the pandemic and not yet reinstated). I usually make at most 6-8 withdrawals per month.
I didnt know they waived the limit. Sounds like I needlessly keep the checking account higher.
Do you build your browsers from the source code, which you personally examine with every update? (And do you do the same for the compiler and all the libraries?) Do you check SSL certificate every time you connect?
My point is, neither way is 100% secure, but both are secure enough if you don’t do stupid things like pick up spyware. I think marginally, for a technical person conscious about security, a browser is slightly better because you can better see what’s going on and have a bit more control. But for an average person an app on a phone is slightly better because the system is somewhat more locked down (people tend to pickup viruses and spyware more on Windows computers than on phones), and some of the checks can be better automated in the app (e.g. certificate pinning).
I myself prefer a browser on my computer for financial stuff (separate one from the browser I use for generic web surfing, social media, etc.), but don’t hesitate to use apps from a couple of banks occasionally.
For browser’s used for financial connections, yes.
Rarely, but I delay updates for quite some time.
Yes
I disagree (and sorry to the people who have read this before). I avoided the Chase fiasco by using NoScript, and not allowing javascript from a .ru domain.
I have no way to do that with the Chase app, and without source, no way to know where Chase is selling/“sharing” my data. They can allow javascript to run from Google (least risk of fraud/theft, but most risk of data loss), to umpteen other sites.
Why?
I am different from most, presumably, or at least that’s what I sell to my wife. We use a Linux based machine for finances. It is usually powered down, but never goes to a website other our accounts at a major bank, Treasury Direct, or major brokerage. I boot a separate, cd based, OS for most CUs and online purchases.
You’ve examined the entire source code plus the changes for the browser, compiler, and all the dependent libraries? I don’t believe you.
I hope you don’t care what I believe, either. Did you not understand my answer?
Alliant has upped our savings interest rate to 1.6% APY. 