Yodlee FinApps

FinApp Developer’s Platform Security

Yodlee’s unique and patented FinApp Developer’s Platform powers all FinApp innovation by creating a secure infrastructure for development. The Platform can be easily integrated and customized to create a personalized experience for every customer or customer segment.

The Yodlee FinApp Developer’s Platform  (also referred to as the Yodlee FinApp Platform) allows FinApp developers to develop & publish FinApps to the Yodlee FinApp Center.

To reduce security risk to the lowest level, the Yodlee Security Office participates in all additions and changes to the Yodlee FinApp Platform beginning with the initial stage of the FinApp development life cycle. Security requirements are enforced within all platform changes, and the Yodlee Security Office works closely with the architecture and product teams to review the technical design and technical architecture in order to enforce security controls. Several rounds of security testing are performed on all changes to the Yodlee FinApp Platform.

FinApp Data Security

Yodlee uses hardware encryption technology to store the most sensitive user’s data in the database. Access Control Lists (ACLs)  are used for accessing FinApp APIs and are only shared on a  “need-to-know” basis and can only be approved by the Yodlee Security Office. Several layers of session, data and ACL validation is performed before access to the user’s data is permitted and access to user’s data APIs are allowed only after approval from the Yodlee Security office.  ACLs are enforced at multiple layers including, the FinApp layer and the Platform layer, and a combination of blacklisting and whitelisting of the APIs are enforced. Accessing APIs outside of the approved API list is not allowed and is logged and monitored for violations.

Yodlee uses Open Authentication (OAuth), to allow secure authorization of FinApps, and provides a Flex library to simplify the use of Representation State Transfer (REST) APIs. As an additional layer of security, Yodlee has created a proprietary OAuth request signing solution that is also implemented at the FinApp Data Security level.

Yodlee REST APIs that are accessed by the developed FinApps are security tested and certified by the Yodlee Security Office. The Yodlee Security Office completes a comprehensive code review using both manual and automated code review methodologies to detect security issues and ensure data security. Yodlee uses a commercial source code review scanner for automated scans and manually reviews all critical code changes while also performing a rigorous penetration test to detect security issues. Before any changes are pushed to production, all security issues must be resolved.

FinApp Security Certification

Once the FinApp is successfully submitted for certification, the Yodlee Security Office will conduct a comprehensive and rigorous security certification process. During this process, the FinApp is checked for violations of the Yodlee Security standards as per the FinApp security guide, data security issues and other security vulnerabilities.

Yodlee also requires that all FinApp developers (even Yodlee internally built FinApps) run a proprietary FinApp Security Tool (FAST) against the developed FinApp before submitting certification to ensure the FinApp is secure. FAST completes an automated scan that includes static code scanning on the entire code base and report generation that highlights the code line number, security issues and recommended fixes. The report also shows the overall security risk level for each FinApp.

The Yodlee Security certification process involves a complete end-to-end testing cycle as well as detailed code reviews, and the certification process is based on a pass/fail status only. The status of the FinApp remains failed until all security issues are fixed by the developer and the FinApp has been circulated back through the same certification process. Once the FinApp passes certification, and is approved by the Yodlee Security Office, it can be published to the Yodlee FinApp Center.

FinApp Center Security

Once the FinApp has been successfully certified and approved for publishing, there are additional security controls in place including:

• Enabling of FinApp Access Control Lists -   Each FinApp needs to be enabled to access the data and APIs that control/run the FinApp. The Yodlee Security office validates the API, ACL and data access to once again ensure the data being accessed is verified and approved.
• Enabling Secure Proxy  -  Any outbound HTTP connections to a third party site made from the FinApp must go through a FinApp Secure Proxy, and all external URLs used by the FinApp are verified and white listed in the Yodlee Secure Proxy.
• FinApp Center Publishing -  After the enablement process has been completed, the  FinApp is published to the FinApp Center where all FinApp access and usage is logged and monitored  per the FinApp Security Monitoring program.

The Yodlee Security Office continuously monitors the Yodlee FinApp Center to ensure only certified FinApps are present. If at any time an uncertified FinApp is found during the monitoring review, the FinApp will be removed from the store.

The Yodlee FinApp Security process includes very strict and rigorous methods of monitoring and review cycles and the Yodlee Security Office holds the responsibility of disabling a FinApp from the FinApp Center if any malicious activity is detected.

Yodlee maintains a robust security program to ensure the highest levels of security to financial institutions, your customers and Yodlee.