An investigation of mobile apps from 30 financial institutions reveals weak encryption, data leakage, insecure data storage, and other vulnerabilities.
Banks and other financial companies are putting consumer data at risk by not properly securing their mobile apps, according to a Tuesday report from Aite Group and Arxan Technologies.
The report discovered several key security flaws among 30 mobile apps offered by financial institutions. Almost all of the apps researched could easily be reverse engineered, providing access to sensitive source code data, including account credentials, API keys, server file locations, and incorrectly stored health savings account information.
In the report, 97% of the apps tested lacked the proper code protection, opening themselves up to reverse engineering or decompiling. Some 90% of the financial institution (FI) apps shared services with other programs on the device, while 83% insecurely stored data by housing it in the device's file system and external data or by copying content to the clipboard. Such flaws expose the data to use by other apps on the device.
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
Some 80% of the FI apps used weak encryption algorithms or incorrectly implemented strong ciphers, potentially exposing the data to decryption and theft. Further, 70% of the apps used insecure random number generators to limit access to sensitive information, a flaw that makes the numerical values easy to guess. The vulnerabilities uncovered open the door to such threats as account takeovers, identity theft, credit application fraud, gift-card cracking, and credential stuffing attacks, according to the report.
"During this research project, it took me 8.5 minutes on average to crack into an application and begin to freely read the underlying code, identify APIs, read file names, access sensitive data and more," Aite Group senior analyst Alissa Knight said in a press release. "With FIs holding such sensitive financial and personal data — and operating in such stringent regulatory environments — it is shocking to see just how many of their applications lack basic secure coding practices and app security protections."
Apps from the retail banking, retail brokerage, and auto insurance sectors had the greatest number of security vulnerabilities, the report found. Health Savings Account apps had the fewest number of security flaws.
"It's no secret that the finance industry is a hot target because the payload is cold, hard cash," Arxan chief scientist and VP of research Aaron Lint said in the press release. "Virtually none of the apps tested in this research had app security measures in place that could even detect an app was being reverse-engineered, let alone actively defend against any malicious activity originating from code level tampering."
To better protect customer data, financial companies should adopt a more comprehensive approach to security, according to the report. Those approaches might include app shielding, encryption, and threat detection and response. Developers of such apps should also be trained in the use of secure programming and should implement security measures during the software development cycle. Further, app security must offer protection against specific threats such as reverse engineering, malware debugging, device cloning, external screen sharing, and man-in-the-middle attacks.
Conducted over six weeks, Aite's investigation looked at 30 Android apps downloaded from Google Play and used on an LG G Pad 8.0 Plus tablet with Android version 7.0. The researcher did not test iOS apps for the study, citing a tight timeframe in which to conduct the research, but said she believes the iOS versions of the apps would have the same issues.
The apps tested spanned eight financial sectors, including retail banking, credit card, mobile payment, cryptocurrency, health savings accounts, retail brokerage, health insurance, and auto insurance. The size of the companies covered ranged from small and middle-market firms to large institutions with more than $10 billion in market capitalization.
- How 85% of mobile apps violate security standards (TechRepublic)
- 32% of companies sacrifice mobile security to improve business performance (TechRepublic)
- How to build a secure mobile app: 10 tips (TechRepublic)
- How mobile devices became fundamentally more secure than PCs (TechRepublic)
- Thousands of Android apps permanently record your online activity for ad targeting (ZDNet)
- Mobile apps transmit unencrypted user data due to insecure SDKs (ZDNet)
- Gustuff Android banking trojan targets 125+ banking, IM, and cryptocurrency apps (ZDNet)