With smartphone adoption and usage soaring, it’s no wonder that financial institutions are developing mobile apps to better serve their customers.
However, security is still a big concern in this area.
“The quantity and severity of the vulnerabilities discovered across [mobile apps in the financial services industry] clearly identify a systemic problem,” according to a new report. That problem is “a widespread absence of application security controls and secure coding.”
Alissa Knight, a senior cybersecurity analyst for the research and advisory firm Aite Group, looked at 30 financial institutions’ mobile apps across eight sectors:
- Retail banking
- Credit card
- Mobile payment
- Retail brokerage
- Health insurance
- Auto insurance
She then used readily available tools to reverse engineer the apps, uncovering “sensitive information stored inside the source code, such as improperly stored [personally identifiable information], account credentials, server-side file locations, API keys, and live deployment and QA URLs used by the developers for testing the apps.”
The most unsettling part? Each app took her only 8.5 minutes to crack, on average.
Here’s a look at the five most startling vulnerabilities.
1. Lack of Binary Protections
Almost all—97%—of the apps tested had no binary code protection, which is what allowed Knight to break into the apps so easily.
What’s more is that every app “tested failed to implement application security that would have obfuscated the source code of the apps, making it possible to decompile them.”
Adversaries looking to tamper with the binary code could inject malware, repackage it, and distribute it through a third-party app market or SMS phishing.
2. Unintended Data Leakage
Some apps share services with other apps, creating the potential for data to leak from one app to another, allowing adversaries to take control.
This could result in breaching user privacy and unauthorized data usage.
Developers must monitor a number of places for data leakage:
- Application background
- HTML5 data storage
- Browser cookie objects
Keep an eye on which services can connect with your data.
3. Insecure Data Storage
Related to data leakage is insecure data storage—83% of the apps stored data outside their app’s control, such as a device’s local file system or external storage.
“A systemic issue across all of the apps was the common practice among the [financial institutions (FIs)] of depending on the mobile device’s local or external storage for housing application data, including sensitive data inputted by the user,” reports Knight. “In the event of an acquisition of the mobile device by an adversary, this data is easily accessed, manipulated, and used to further penetrate the back-end servers of the FI through its APIs.”
4. Weak Encryption
Adversaries can easily manipulate or steal data as needed if data isn’t encrypted properly.
This could be through:
- Poor key management.
- Storing keys in easily accessible locations.
- Hard-coding private keys within the app.
- A weak cipher, which nullifies encryption.
Indeed, 80% of apps had weak encryption.
5. Insecure Random-Number Generation
Finally, insecure random-number generators rely on random values to generate session IDs or cryptographic keys, for example. This should restrict unauthorized access.
However, Knight found values to be easily guessed and hackable, putting the financial apps at risk or someone breaking in.
In addition to the five vulnerabilities listed here, Aite Group found six more in financial mobile apps. To read more about the report, click here.