I am developing an integration with REST Api with yodlee, and I am worry about security considerations, and would like to hear about the best practices concerning security with the server that talks with yodlee via REST API.
There is a method that returns the users password in plain text, getLoginFormCredentialsForItem()
This worries me a lot and I see that I have to isolate this server with the application server.
Do you have any recommendation to confront this scenario?
Thanks for your feedback on this. I've reviewed this with our Yodlee Security team and they've provided the following response:
The Yodlee Platform stores consumer credentials in a reversible format so that we can use those credentials on behalf of, and as authorized by, the consumer in order to retrieve their data for use by the application. Yodlee has enacted multiple layered security controls as defined by US banking regulations, industry standards (e.g. ISO2700K, PCI) and good industry practices to protect these credentials and the data retrieved by them. When Yodlee deploys with a client, access to the APIs are restricted via network and API level access control lists to complement our and our client’s security controls. However, in this Developer Portal, all APIs are white-listed so that developers can explore the full feature set of the Platform.
We're a longstanding platform with over 10+ years of security and bank-level data audits under our belt and we do not take these or any security concerns lightly. As part of our audit process, we will review the need and use of this particular API and make the appropriate determination whether to modify or remove this API completely from use. We thank you for bringing this concern to our attention.