Popular mobile payment apps leave consumers and businesses exposed
It's likely that this year's holiday season will mark the first time that online purchases made on mobile devices will overtake those on desktop systems.
This makes mobile payment systems a prime source of risk and a new study by mobile app security company Bluebox Security highlights poor security across consumer mobile payment apps, including some of the most popular solutions for both Android and iOS.
Bluebox examined 10 mobile payment apps expecting to find that security would be robust for apps directly handling financial transactions. However, in every app reviewed it found security was remarkably basic. 98 percent of developers polled by Bluebox have reported most mobile apps are moderately to highly vulnerable. Yet consumers are naively placing their trust and their cash in these apps, as 69 percent of those polled say they're confident that the apps they use are safe from attack.
Bluebox took a close look at the top two peer-to-peer payment apps that are used to send monetary gifts to family and friends, along with the top three one-click merchant apps from leading retailers. The analysis showed that these five apps lack the enterprise-grade protections needed to safeguard financial transactions and that they harbor vulnerabilities that require immediate attention to protect against hackers.
Problems found include every app examined being vulnerable to tampering that would allow rerouting of funds from a consumer's account to a hacker's account, without the consumer's knowledge. On average, 75 percent of the code in the apps was from third-party code libraries, which are used by enterprises to speed up mobile app development. When not properly secured and vetted, these code libraries could easily contain the next widespread exploit like Heartbleed or Stagefright -- exposing payment apps to possible breaches.
None of the five apps encrypted data written to disk, meaning authentication info, transaction history and other personal information is fully visible to attackers once they’ve gained access to a device or app.
Additionally, all of the apps investigated were vulnerable to hacking via a compromised device, by replacing the legitimate app with a modified version without the user’s knowledge, or by intercepting the app’s interactions with cloud services over Wi-Fi or cellular networks.
"Our starting hypothesis was that mobile apps handling financial information would have more rigorous security compared to other mobile apps, but our research uncovered the opposite. As enterprises rush to get apps to market, we are discovering the same security errors from industry to industry," says Andrew Blaich, lead security analyst at Bluebox Security. "Enterprises need to ensure their apps can defend themselves and make security a seamless step in the development process."
More information on the study's results can be found on the Bluebox blog.
Photo Credit: Slavoljub Pantelic/Shutterstock