Otkrytie Mobile Bank: development from reverse

“At first, a convenient registration mechanism was invented, and then - means of its protection”

Case on the development of a mobile bank for iOS-smartphones





Bank 3.0 - banking revolution is underway
In the banking sector, important structural changes are currently taking place under the influence of IT. This process is called digital transformation. Previously, IT was used to automate business processes that were formed in the distant pre-IT era, and boiled down to trying to squeeze efficiency percentages out of them, now IT capabilities give way to new business models, which were not there before. And the key role here is played by mobility.
')
“A bank today is not where you go, but what you do,” writes Brett King, author of the bestseller Bank 3.0 . The one who believes that the branch is the only thing that will bring happiness to the client has already lost the battle for today's consumer. Just ten years ago, 50-60% of transactions were carried out through a cash desk at a bank branch. Now 95% of operations are carried out through the Internet, mobile phones, ATMs, call centers. Customers would like to visit a bank branch no more than 1-2 times a year, but in general they are going to interact with a bank much more often than before: 20-30 times a month using a smartphone and 7-10 times using a tablet.

Mobile bank: profit center, not a cost center
In Russia, 6.6 million people make at least one online payment from a mobile device every month. However, many banks still consider the mobile application as an annoying necessity (and cost) in favor of the tastes of a too advanced young audience. There is already an online bank - here and use! But no, they certainly need a native application! OK, let it be. It is with this approach that most mobile banks of the first wave were released to the market. As was to be expected, they did not give impetus to the growth of the business and lay down in expenses. Therefore, customers now have a certain skepticism regarding mobility.

But the role of the mobile channel in the overall structure of banking services has changed dramatically. From the auxiliary mobile banking becomes the main (according to various estimates, the client using mobile technology brings the bank about five times more income). In addition, when choosing a bank, consumers began to take into account the quality of a mobile banking application.

Almost half of clients (48%) consider the quality of a mobile application to be an important factor in the decision to change the bank.


When the customer knows what he wants
The ideal customer of the application is a technologized company that understands the importance of IT in its business. Banks do not just understand this value, they build the whole business on IT. The working group involved in the project from the bank (IT, security, marketing, customer service, etc.) does not need to explain anything about technology or business benefits.

(The customer’s lack of a clear strategy regarding the development of multi-channel interaction with customers, of which mobile banking is a part, should be considered as a serious project risk.)

Discovery is a young team of mobility fans who wanted to give their customers a great service, formulated business needs, and they were embodied in the development of Redmadrobot.

For Otkrytiya, a mobile bank is part of a single integrated service system available on various platforms and devices, not just on iPhone. Work is already underway on the Android version for smartphones (will appear in Google Play this year), as well as on tablet versions. The bank is updating all interfaces - the ATM and electronic line redesign has begun, payment terminals are on the way. The mobile application is part of this update concept.

When developing the application, we proceeded from two important tasks: to satisfy the basic needs of private clients of the bank and satisfy the business needs of the financial institution itself (to get an additional channel for selling banking products and to increase customer loyalty by translating the idea of ​​simplicity and convenience of banking services). For us, a mobile bank is another channel for the sale of services.
Ideally, we strive to ensure that all our customers have a mobile application installed. After all, now the smartphone market has reached such a level that devices have ceased to be impossibly expensive. The main indicator to pay attention to is the number of successful registrations. That is, it was important for us to make the registration process itself so comprehensible that no one has any questions “how to register?” Or “what is there to press?”

Alexey Kruglov, Senior Vice President, Director of Marketing and Client Service, Otkrytie Bank


Design and safety are key benefits.
Mobile application developers cannot influence the composition of banking products in any way - a set of services is formed by financial institution specialists (besides, these services are approximately the same for all banks: account information, payments, transfers, statements, currency conversion, etc.). Therefore, it is worth concentrating not on WHAT to do, but on HOW.

How is UX and code quality. In the project "Discovery" design was considered as a competitive advantage of a mobile product. Particular attention was paid to safety - in the sense that it does not interfere with work. Yes exactly. On the one hand, security must be flawless (one loud incident is enough to compromise the entire system and no design will help, users will give up on it), on the other - flawlessness should be achieved not by simplifying the product and its capabilities.



The path to good design is through many iterations.
Good design can not be like this and do it right away. Even when everything is clear in principle - business requirements, brand book ... Ten variants of one screen are not the limit on the road to perfection. But even in the accepted and approved by the customer options had to make changes.

(It is very important to establish version control in project management.)

The brand book "Discovery" had to be adapted a little under iOS - in accordance with Apple guidelines and traditions, interfaces make brighter on mobile devices.



A native prototype is in some cases not a luxury, but a necessity.
In most cases, to evaluate the interface design and logic of transitions, at the design stage you can get by with a simple HTML prototyping service. However, this method does not allow to fully appreciate the dynamics and feel the interactivity of the future application. If it was decided to make the design an important competitive advantage, it was impossible to neglect such nuances and therefore it was decided to use the native prototype - that is, practically a real application, only without real data and without the server part, in order to give the full experience of working with the product at the UX testing stage .

Of course, it is more expensive and more difficult, but in this case the end justifies the means. And, of course, this approach will not be justified in any projects.



Usability testing on the side
In the case of usability, there is a risk that the customer and the developer will not come to a common opinion regarding the convenience and clarity of the interface, and this will be the ground for conflict. Subjectivity assessments can not be completely avoided, and the opinions of each of the parties on what is considered a good interface solution, and what is bad, can vary greatly. And most importantly: both of them may be wrong, because users often have their own, completely different preferences.



Therefore, the developer is only welcome, if the customer finds usability experts on the side, it will strengthen their relationship rather than destroy. In such a “triangle” it is possible to divide the areas of responsibility more rationally: the customer deals with business requirements, the developer makes the design, and usabilityists give feedback.

Otkrytie Bank chose Usethics as a usability partner .
Testing scenarios covered about 70% of the functionality of the first version of the product - registration, re-entry into the application, viewing account information, payment history, payment for services, search for branches and ATMs. Respondents were selected from among iPhone and Internet bank users.

Designers watched the testing process and worried about users - will they find or will not find the necessary button? It happened that they did not find it, then the interfaces were fixed and tested again.



According to the results of testing, the level of subjective satisfaction with the use of the application was 92.8%, and in general, 98% of respondents gave a positive assessment of Otkritie Mobile Bank.

But one should not fall into euphoria: since usability is tested on model data and does not cover all types of users, anyway, in real work, some problems will appear in the interface that will have to be corrected.

Application needs "custom"
The idea to make the action "Pay" slider, like the one that includes a smartphone, really liked all the project participants. And it fully corresponded to the guidelines of Apple, and it seems there is nothing to complain about.



However, this version of the App Store wrapped up with the wording "the application lacks custom" - you can not use the system components for any of their own purposes. That is, the application should look original and different from the system screens. Alas, from the slider to pay had to be.

Uniformity and standardization - not always good
It is customary to strive for uniformity in the interface so that similar functions have similar screens. But there are situations where this rule does not work.

To enter the application, the user must enter the access code. But first you need to create this code, right? Developers thought it was perfectly logical to make these screens in an identical design. Of course, the inscriptions on the screens were different - “Enter the code” and “Create the code”. In the course of usability tests, it turned out that users are confused and do not understand what the system wants from them when they ask to create code - the external resemblance to the login screen confuses them. Therefore, it was decided to make these screens visually distinct, and at the same time to add text explanations.



(Do not count on the attentiveness of users. If something is confused, they will confuse. Almost a new Murphy law.)

Copywriting applications: "Do not save the file: YES / NO?"
This old joke about the file save dialog is still relevant. Often users are confused by the names of functions, the wording of questions, hints and other text messages found in the application, although the designers themselves think that everything is clear.

Laconic comment "create an access code" users simply did not notice. Therefore, in addition to changing the appearance, I had to give a rather detailed explanatory text that is required from the user in this screen.



Let some redundancy and verbosity be better, it more often works in plus, than in a minus. Because users read the instructions only as a last resort, when nothing happened, and they get used to not paying attention to the extra text when it became familiar.

Security must be - and be invisible
It is hardly news for someone that the mobile application for the bank should be safe. All developers are aware of this, and yet vulnerabilities are not at all in isolated cases.



Banks often limit the size of transactions through mobile applications in order to minimize their risks, thereby limiting their scope of application and their possible income.

Is it possible to create a truly secure mobile bank? Absolutely invulnerable to any attack vectors - absolutely not possible. Because methods of protection, as a rule, appear in response to incidents that have occurred and are discovered. And yet - a reliable application with protection against most of the currently known threats can be created. With a high degree of security due to the correct code and competent interaction with the internal systems of the bank.

Working with banks (Otkritie is not our first banking project), we had to reconsider our approaches to creating secure applications. This concerned not so much practical work and, in fact, code writing - with this everything was fine before, as well as documentation and preliminary elaboration of the architecture. The bank’s security service works on the basis of a threat model and requires a reasoned and clear answer as to how we counter this or that threat. For example, what do you do with the threat of the possibility of personality substitution during a man in the middle attack? We say: "For this we have this and that." The result was two documents:
1) formal requirements for application security - requirements for code, architecture, data storage
2) server interaction requirements
In fact, every decision that was made in the project was consistent with security requirements. At the start of the project, security work took up to 25% of the total time. Then, when the architectural decisions were made, we almost did not spend time on information security issues.

Arthur Sakharov, mc_murphy , technical director of Redmadrobot


Quality assurance - from the first stages of the project
The QA-team Redmadrobot connected to the project at the analysis stage. This helped to avoid large-scale rework at the stages of development and testing. Test cases and test plans included not only functional and UI \ UX testing, but also security testing.

For the application on the customer side, the same server part was used as for the personal account, and as part of testing the mobile bank, defects were identified, the correction of which improved the performance of all services of FG Otkrytie.

HP Fortify - top notch security check
The Hewlett-Packard Fortify Static Code Analyzer is one of the most serious Software Security Assurance (SSA) verification tools available in the global market. Independent experts from HP Fortify checked 37,225 lines of the source code of the Otkritie mobile bank — the analyzer did not reveal critical security vulnerabilities.

The analyzer scans the source code of the application and the server, and also determines the possible attack vectors and protection scenarios against them, after which it prioritizes the results and provides detailed reports (down to the level of individual lines with the code). Most attention is paid to working with data - are they stored on the disk, are they transmitted in an unprotected form, are screenshots masked in iOS.

Unique: registration in the application by credit card
Starting to use mobile banks is often not so easy - you need to get a username and password in a branch or otherwise, wait for the application to register, etc. In the project "Discovery" there was a task - to get rid of all the delays and give the customer the opportunity to simply become a user of a mobile bank as much as possible.

It was possible to find an original solution: the client is registered by his bank card number, no more logins and passwords are needed. Since the card number itself cannot be stored on the device for security reasons, it was necessary to invent its own mechanism of identifiers used for registration. The application generates a new identifier, sends it to the server. The server sends an SMS with a confirmation code - and that's it, you can use a mobile bank. Naturally, the interaction with the server is encrypted, using standard iOS libraries and the HTTPS protocol.

To make life even easier for the user, a recognition function was built into the application: just send the iPhone camera to the bank card and registration will occur automatically (in case the card is embossed). Then you will need to create a PIN code and subsequently enter the application with it. It is safe enough because you can block the application if the phone is lost. The identifier is marked as compromised and it is impossible to log in to the system anymore, you need to re-register.

And yes, Touch ID login in iOS 8 is also supported. By the way, Otkrytie Mobile Bank is the first in the Russian market with fingerprint identification.

We communicate with the server: API with a backlog for the future
On the server side for the mobile client there is a single entry point - middleware, developed by the bank, which further integrates with all internal systems - CRM, payments, plastic card accounting, etc.

The application interacts with the server based on our RESTful API, which was made universal, so that other services and web applications of the bank could use it. It was created in several iterations, starting with the data model. And immediately there was a sight for reuse and expansion options. The result was a fairly simple, very convenient and scalable interface.
Now the API covers a half to two times the functionality of the first version of the application. The architecture in general should be created with a reserve for the future, so that as the application evolves, you do not have to change some fundamental things.

Arthur Sakharov, mc_murphy , technical director of Redmadrobot


What has been done and what's next
The first version of the mobile bank supports the standard set of functions:
- Creating an individual access code for easy re-authorization;
- Detailed information about cards, loans and deposits;
- View statement;
- Ability to quickly recharge the card;
- General history of payments made through mobile and online banking with the possibility of repeating operations;
- Payment for mobile communications, pay TV, utilities and much more;
- Transfers within the bank "Opening";
- Conversion of cash;
- Quick search for nearby ATMs and offices;
- Quick contact with the bank support service via hotline or email.
Until the end of the year, the application will include transfers to other banks, online consultations, an extract (filters, categories of operations) and much more will be finalized. The release policy involves monthly updates aimed at improving the stability of the application and adding new functionality, tracking the degree of satisfaction of the business needs of the client company and adjusting the product development plan.
Following the iOS version for smartphones, a mobile bank for Android and tablet versions will appear.