Mobile banking apps are holding data insecurely

“Systemic problems” could allow an attacker to manipulate data, take over accounts and commit fraud

mobile banking

Research into a host of mobile banking apps has revealed alarming security fallibilities that could pave the way for cyber criminals to access highly sensitive financial data.

Systemic problems in the financial sector's approach to designing security into mobile banking applications have left glaring holes, spanning from weak encryption standards to data leakage.

Researchers on behalf of Arxan Technologies highlighted 11 types of vulnerability found across 30 Android apps from all flavours of financial institutions across Europe and the US, with a total of 180 critical vulnerabilities discovered.

These, if exploited by an attacker, could lead to identity theft, and account fraud, among other dire consequences.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"When a company fails to implement proper application security technology for its app, it opens up the app to be easily reverse-engineered, potentially leading to account takeovers, data spills, and fraud," said researcher Alissa Valentina Knight.

"As a result, the company could experience significant financial losses and damage to brand, customer loyalty, and shareholder confidence as well as government penalties.

"While the findings in this report are specific to these companies, many of them are systemic across all of the mobile apps tested, and other types of companies should use them as a guide for securing their mobile apps."

The names of the banking apps in which vulnerabilities were detected have were redacted, presumably for fear that these companies will subsequently be targeted by malicious actors.

Retail banking apps were found to harbour the greatest number of critical vulnerabilities, while US-based health savings account (HSA) companies were the least exploitable. Also, to the researcher's surprise, smaller companies had the most secure development hygiene, while larger companies produced the most vulnerable apps.

The most common vulnerability type was a lack of binary protections, with 97% of apps tested being possible to decompile and review the source code. Moreover, all apps tested failed to implement application security to obfuscate the source code.

Advertisement - Article continues below

Meanwhile, 90% of applications tested engaged in unintended data leakage, with data from the mobile banking app inadvertently made available to other apps on a user's device. This, for instance, could lead an attack to harvest financial data through other apps they have control over on a device.

Additionally, 80% of apps implemented weak encryption algorithms or the incorrect implementation of a strong cipher. Adversaries could, by exploiting this, decrypt sensitive data into its original form and either manipulate or sell this on.

The most worrying finding, however, was that 83% of apps tested stored users' sensitive data insecurely in the first place. Financial data was stored outside of a sandbox and in the device's local file system, external storage, or even copied to the clipboard, according to Knight.

To remedy these issues, she recommended that financial companies adopt a comprehensive approach to security, and employ a number of technologies such as app shielding, encryption and threat analytics.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020
Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020