New research has revealed that half of mobile banking applications are vulnerable to fraud and theft of funds, with the server side accounting for more than half of all detected vulnerabilities.

The team at Positive Technologies tested 14 mobile banking apps - which had been downloaded from GooglePlay and Apple's App Store more than 500,000 times - finding that client sides were especially vulnerable to unauthorised access to user data, as 43 per cent of applications store important data on the phone in cleartext.

More than three quarters (76 per cent) of mobile banking vulnerabilities can be exploited without physical access to the device, according to the report, while more than a third of vulnerabilities can be exploited without administrator rights.

No flaws in iOS banking apps were worse than 'medium, in severity, but 29 per cent of Android apps contained high-risk vulnerabilities like insecure deeplink handling. Developers on Android have more freedom of implementation, which explains the larger number of vulnerabilities in Android applications compared to iOS.

The server sides of mobile banking applications contain 54 per cent of all vulnerabilities found and, on average, each mobile bank has 23 server side vulnerabilities. Almost half (43 per cent) of banking applications contain server-side vulnerabilities in business logic, which attackers can exploit to obtain sensitive user information and commit fraud. Business logic errors may cause significant losses to banks and even lead to legal complications.

Positive Technologies analyst Olga Zinenko commented: "Banks are not protected from reverse engineering of their mobile apps, moreover, they give short shrift to source code protection, store sensitive data on mobile devices in cleartext, and make errors allowing hackers to bypass authentication mechanisms and bruteforce user credentials.

"Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits, and the phone number associated with a victim's card.”

In 87 per cent of cases, user interaction is required for a vulnerability to be exploited. Positive Technologies experts recommend that users avoid jailbreaking or rooting their devices, download applications only from official stores, avoid visiting suspicious websites or following dodgy links from SMS and chat messages, and always install the latest updates for operating systems and mobile applications.

Share Story: