sb-eu logo
Story image

Banks failing customers when it comes to mobile app security

Mobile app flaws make half of all mobile banks vulnerable for theft of funds, and account for more than half of all detected vulnerabilities.

This is according to Positive Technologies analysis of mobile banking applications. According to the data, none of the tested mobile banking applications had an acceptable level of security, with both client and server sides at risk.

Client sides are especially vulnerable to unauthorised access to user data, as 43% of applications store important data on the phone in cleartext, the data shows.

The vast majority (76%) of mobile banking vulnerabilities can be exploited without physical access to the device. In addition, more than a third of vulnerabilities can be exploited without administrator rights.

No flaws in iOS banking apps were worse than ‘medium’ in severity. By comparison, 29% of Android apps contain high-risk vulnerabilities, Positive Technologies finds.

The most dangerous vulnerabilities were found in Android applications and involve insecure deeplink handling. Developers on Android have more freedom of implementation, which explains the larger number of vulnerabilities in Android applications compared to iOS, Positive Technologies explains.

The server sides of mobile banking applications contain 54% of all vulnerabilities found and, on average, each mobile bank has 23 server side vulnerabilities.

Almost half (43%) of banking applications contain server-side vulnerabilities in business logic, which attackers can exploit to obtain sensitive user information and commit fraud. Business logic errors may cause significant losses to banks and even lead to legal complications.

User credentials proved to be the most vulnerable data. For instance, In 87% of cases, user interaction is required for a vulnerability to be exploited.

Positive Technologies experts recommend that users avoid jailbreaking or rooting their devices, download applications only from official stores, avoid visiting suspicious websites or following unknown links from SMS and chat messages, and always install the latest updates for OS and mobile applications.

Positive Technologies analyst Olga Zinenko says, “Banks are not protected from reverse engineering of their mobile apps. Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in cleartext, and make errors allowing hackers to bypass authentication and authorisation mechanisms and bruteforce user credentials.

"Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits, and the phone number associated with a victim's card.”

Zinenko says, “We urge that banks do a better job of emphasising application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”

Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
Cryptomining trojan malware discovered by ESET researchers
The malware, primarily targeting victims in Czechia and Slovakia, prioritises subterfuge through deployment of multiple techniques to avoid detection, and leans heavily on the Tor network and BitTorrent protocol to achieve its goals.More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
COVID-19 related email threats pose huge risk in 2020
According to the company’s annual mid-year roundup report, Trend Micro blocked 8.8 million COVID-19 related threats, nearly 92% of which were email-based.More
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More
Story image
Remote staff overestimating knowledge of cybersecurity basics
‘Unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training.More