A research project into the security of financial services apps has identified serious issues with the majority of those tested, which could in many cases lead to the exposure of user data to hackers.
The project, undertaken by Alissa Knight of research firm Aite Group and published by Arxan Technologies, looked at 30 major financial services apps available on the Google Play store across eight distinct sectors: banking, credit cards, mobile payments, cryptocurrency, health savings accounts, brokerage, health insurance and vehicle insurance.
It found that the majority of the smartphone apps could be reverse engineered using tools freely available online, allowing hackers to access sensitive information, including account credentials.
Describing the issue as a “vulnerability epidemic”, Knight argues that the research is evidence of systematic weak security in app design within the sector, including weak data encryption, insufficiently secure data storage and improper protection of information when it is being transferred.
Common security problems found in financial services apps
Knight found that almost all of the apps tested – 97% – did not have adequate protection of their binary code, meaning that they could be reverse engineered to decompiled, opening the door to tampering. This could be used by criminals to gain access to users’ sensitive financial data.
“During this research project, it took me 8.5 minutes on average to crack into an application and begin to freely read the underlying code, identify APIs, read file names, access sensitive data and more,” explained Alissa Knight, senior analyst at Aite Group.
“With [financial institutions] holding such sensitive financial and personal data — and operating in such stringent regulatory environments — it is shocking to see just how many of their applications lack basic secure coding practices and app security protections.”
She also found that unintentional data leakage was a prolific problem, impacting 90% of the apps tested. This means that the apps shared services with other applications on the user’s device, allowing their financial data to be accessed by other potentially malicious apps.
There were also problems with data storage, with 83% storing data outside of the app’s control, where it could be more easily accessed maliciously, and encryption, with 80% using weak encryption methods that could be decrypted by hackers. 70% also used an insecure random number generator as part of their security method, which can be easily hacked.
The findings are extremely serious for the industry because of the devastating impacts they can have on customers.
“The large number of vulnerabilities exposed from decompiling these applications poses a direct threat to financial institutions and their customers,” explained Knight.
“These resulting threats ranged from account takeovers, credit application fraud, synthetic identity fraud, identity theft and more.”
Urgent action needed by financial services industry
The research highlights the need for urgent and extensive action in order to prevent widespread harm to users.
“It’s clear from the findings that the industry needs to address the vulnerability epidemic throughout its mobile apps and employ a defense-in-depth approach to securing mobile applications — starting with app protection, threat detection and encryption capabilities implemented at the code level,” said Knight.
“Of all the findings, the most shocking was without a doubt, the SQL queries exposing information on the backend databases hard coded in the app along with private keys being stored unencrypted in different sub-directories.”
It is particularly surprising given the appeal of financial data as a target to criminals.
“It’s no secret that the finance industry is a hot target because the payload is cold, hard cash,” said Aaron Lint, Chief Scientist and VP of Research at Arxan.
“Virtually none of the apps tested in this research had app security measures in place that could even detect an app was being reverse-engineered, let alone actively defend against any malicious activity originating from code level tampering.
“We expect financial institutions to be leaders in security, but unfortunately, the lack or app protection is systemic across these and most organisations using mobile apps to drive business — which in today’s environment is everyone.
“Organisations need to take their head out of the sand and realise how significant the attack surface really is due to the nature of how apps are rapidly developed, left unprotected and deployed capriciously.”
Verdict deals analysis methodology
This analysis considers only announced and completed artificial intelligence deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.