The Need: Deliver a mobile-first digital experience
Hong Leong (HL) Insurance, established in Hong Kong, offers personal, corporate, and commercial insurance products. Like many enterprises, HL Insurance wanted to expand its footprint in the market and banked on a mobile-first strategy in order to reach the tech-savvy millennials. With consumers who primarily use mobile devices to access information, developing apps was HL Insurance’s obvious next step.
As part of the Financial Stability Institute, security and privacy were at the forefront of HL Insurance’s priorities. An unsecure app not only erodes customer trust — it also entails hefty penalties and unnecessary remediation costs. Oursky worked to ensure that HL Insurance’s application delivers a digital experience that is natively responsive in mobile devices.
Oursky’s Strategy: Build a secure yet intuitive mobile app
Oursky worked with HL Insurance to streamline the workflow by creating a minimum viable product (MVP). This narrowed down the core features (e.g., checkout flow, e-commerce and payment options) of the application while consolidating feedback from customers. This approach allowed HL Insurance to improve and augment the app’s functionalities with features such as currency exchange rate calculator and local weather reports, which can be easily tied in to their products, such as travel insurance.
Oursky worked to ensure that financial and personally identifiable information (PII) is securely stored and processed. Here are some of what we enforced during the development lifecycle:
- Adopt DevSecOps and automate assessments of potential security issues
- Implement test cases for all application program interfaces (APIs)
- Require logical robotic tests for workflows
- Perform stress and grey box penetration tests before User
- Acceptance Testing (verifying the software to production environment) and after applying significant updates and changes
- Regular review based on the Open Source Foundation for Application Security’s (OWASP) Application Security Verification Standard (ASVS) and Mobile Application Security Verification Standard (MASVS)
- Ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS)
Here are some of what we implemented to secure sensitive data:
- Enforce the principle of least privilege when accessing data
- Avoid keeping PII in cache or session state (except for access tokens) and applying encryption at rest
- Identify and document backend code, APIs, data paths and storages, and app screens where data traverses
- Disable functionalities where data can be captured (i.e., screen capture)
- Follow secure Android and iOS app development practices
- Avoid sensitive data from being displayed in the debug console log and disabling console logs in production builds
The Result: Improved customer experience through a mobile-first strategy
With the app’s streamlined workflow and mobile-first design, customers don’t have to fumble with overwhelmingly long forms and processes when signing up for their product. It also added another avenue for users to reach out to HL Insurance’s representatives, which improved the company’s overall customer experience. It also helped that the app was designed to be a source of helpful information that users can use to manage their finances and plan their travels or expenses. And with security and privacy as parts of the app’s selling points, customers are assured that their PII don’t fall into the wrong hands.