Report finds financial app security ‘epidemic’
Written by Peter Walker
New research has revealed that 83 per cent of mobile financial applications store data insecurely, with 97 per cent failing to include binary protection which stops hackers from reverse-engineering the software.
Application security provider Arxan commissioned advisory firm Aite Group to analyse the market, finding that 90 per cent of apps unintentionally leaked data to other apps, while 80 per cent used weak encryption and 70 per cent used weak random-number generation.
The report pointed out that the insecure storage of data has already been widely exploited to access apps’ supposedly secret Application Programming Interface (API) keys, which are then used to repurpose the app so that it sends customers’ data to the hackers’ servers.
Such hacked and repackaged banking apps have already been actively distributed by gangs, for instance in Russia, where hackers used them to steal 50 million roubles (£584,000) from domestic banking customers in 2017.
Aite Group senior analyst and report author Alissa Knight said it took her on average 8.5 minutes to crack into an application to read its source code and other sensitive underlying data.
“With financial institutions holding such sensitive financial and personal data - and operating in such stringent regulatory environments - it is shocking to see just how many of their applications lack basic secure coding practices and app security protections,” she said.
“It’s clear from the findings that the industry needs to address the vulnerability epidemic throughout its mobile apps and employ a defence-in-depth approach to securing mobile applications – starting with app protection, threat detection and encryption capabilities implemented at the code level.”
The report analysed the mobile apps of 30 financial organisations from the Google Play store across retail banking, credit card, mobile payment, cryptocurrency, retail brokerage, health savings accounts, health insurance and auto insurance.
It found that apps from the smallest firms showed some of the most secure coding practices, while those from the largest companies were the most vulnerable.
The retail banking, retail brokerage and auto insurance apps were found to be at risk for all the issues discovered, while the fewest vulnerabilities were found in health savings account apps.
“Unfortunately, the lack of app protection is systemic across these and most organisations using mobile apps to drive business — which in today’s environment is everyone,” said Arxan’s chief scientist Aaron Lint.