Vulnerabilities leave financial mobile apps open to attack
A new report reveals widespread security inadequacies and protection failures among consumer financial applications.
The research for Arxan Technologies, carried out by Aite Group, says these vulnerabilities can lead to the exposure of source code, sensitive data stored in apps, access to back-end servers via APIs, and more.
Among key findings are that 97 percent of all apps tested lacked binary code protection, making it possible to reverse engineer or decompile the apps exposing source code to analysis and tampering. 90 percent of the apps tested shared services with other applications on the device, leaving data from the financial institution's app accessible to any other application on the device. While 83 percent of the apps tested insecurely stored data outside of the app's control, for example, in a device’s local file system, external storage, and copied data to the clipboard allowing shared access with other apps; and, exposed a new attack surface via APIs.
In addition 80 percent of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed. 70 percent of the apps use an insecure random number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and open to hacks.
"Many sectors share the same or similar vulnerabilities, though the attractiveness of the targets varies, so we see attacks heavily on the financial sector today," says Rusty Carter vice president of product management at Arxan. "While not in the research from Aite group, we also see attacks growing into other lucrative targets like travel/hospitality and retail/ecommerce and can see from publicly disclosed compromises that they share similar vulnerabilities to those shown by this research."
Among the industries examined in the research, retail banking, retail brokerage and auto insurance applications were found to be at risk for all the discovered critical vulnerabilities. It took researchers an average of just eight and a half minutes to crack an application.
The fewest vulnerabilities were found in the Health Savings Account applications, suggesting a higher regard for securing patient information and interactions than in the finance sector. Perhaps surprisingly, the smaller company apps analyzed had the most secure development hygiene, while the larger companies produced the most vulnerable apps.
When it comes to protection Carter says, "A comprehensive approach is the best one, starting with installing sensors to detect attacks and report them back to the business along with defenses against static analysis are fundamental along with good coding practices."
He also believes consumers can help protect themselves. "Personal responsibility and electronic hygiene is critical for many reasons. There are opportunities for attackers once an app has been reversed/repackaged to get it onto people's devices. Trusting third-party app stores, untrusted publishers will compound this problem. That said, attackers gaining access to your information as a result of app vulnerabilities might come from a network attack (MiTM), or a breach of the datacenter systems due to the reconnaissance and attack that began and progressed via the mobile app."
You can get the full report from the Arxan website.