A study of banking apps for iOS and Android has led researchers to conclude that “none of the tested mobile banking applications has an acceptable level of security.”
Performed by IT security vendor Positive Technologies, the study tested 14 banking apps available on both iOS and Android that had more than 500,000 downloads each. Despite the small sample size, there are reasons to pay attention to the results.
Every single app contained vulnerabilities, and three were common to all of them: A lack of obfuscation, no protection against code injection and repackaging, and code that contained names of classes and methods.
In short, use your bank’s mobile app at your own risk.
Luckily for iOS users, none of the flaws discovered in the iOS versions of the apps surveyed was worse than a “medium” risk; by comparison 29% of Android banking apps contained high-risk flaws.
The vulnerabilities uncovered in the study put individual users, and business clients, directly in harm’s way, and in many cases an attacker doesn’t even need to gain access to the server side of a banking app to do damage.
Client-side apps are those that are installed on personal devices, and they account for 46% of the issues discovered. Of those issues, 76% can be exploited without an attacker having physical access to the target device, only requiring the attacker to successfully phish a target or otherwise get them to click on a malicious link or run a harmful script.
Of the vulnerabilities on the client side, three stand out as being particularly widespread: 13 of 14 apps allow unauthorized access to user data, 13 of 14 are vulnerable to man-in-the-middle attacks, and 11 of 14 apps allow unauthorized access to the application itself.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Things aren’t much better on the server side, where more than half of the apps contain a high-risk vulnerability.
The top problems on the server side of mobile banking come in the form of insufficient authentication, brute force vulnerability, and application identification failure, all of which can be used to impersonate a user to steal data and illegally transfer funds.
What can be learned from poor mobile banking security
If there’s one bright spot in the study it’s that (at least on the client side) only 37% of vulnerabilities can be taken advantage of without a device being jailbroken or rooted.
There’s no reliable way to measure how many iOS or Android devices have been jailbroken or rooted, but estimates come in somewhere around less than 1% of iPhones, and around 7.6% of Android devices, at least as of a few years ago (newer statistics are hard to find).
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
The report concludes that those who use mobile banking apps should avoid rooting and jailbreaking, never to install applications from unofficial sources, not to click links sent by strangers, and to always keep devices and applications up to date.
“In 87% of cases, user interaction is required for a vulnerability to be exploited,” the report said.
“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL [Secure software development lifecycle] practices and ensuring security at all stages of the application lifecycle,” said Positive Technologies analyst Olga Zinenko.
That lesson extends to any business with an app that deals in sensitive data: Develop securely from the beginning, review old code to make sure it’s not vulnerable, and thoroughly test apps before releasing them to the public.