sb-eu logo
Story image

Banks failing customers when it comes to mobile app security

Mobile app flaws make half of all mobile banks vulnerable for theft of funds, and account for more than half of all detected vulnerabilities.

This is according to Positive Technologies analysis of mobile banking applications. According to the data, none of the tested mobile banking applications had an acceptable level of security, with both client and server sides at risk.

Client sides are especially vulnerable to unauthorised access to user data, as 43% of applications store important data on the phone in cleartext, the data shows.

The vast majority (76%) of mobile banking vulnerabilities can be exploited without physical access to the device. In addition, more than a third of vulnerabilities can be exploited without administrator rights.

No flaws in iOS banking apps were worse than ‘medium’ in severity. By comparison, 29% of Android apps contain high-risk vulnerabilities, Positive Technologies finds.

The most dangerous vulnerabilities were found in Android applications and involve insecure deeplink handling. Developers on Android have more freedom of implementation, which explains the larger number of vulnerabilities in Android applications compared to iOS, Positive Technologies explains.

The server sides of mobile banking applications contain 54% of all vulnerabilities found and, on average, each mobile bank has 23 server side vulnerabilities.

Almost half (43%) of banking applications contain server-side vulnerabilities in business logic, which attackers can exploit to obtain sensitive user information and commit fraud. Business logic errors may cause significant losses to banks and even lead to legal complications.

User credentials proved to be the most vulnerable data. For instance, In 87% of cases, user interaction is required for a vulnerability to be exploited.

Positive Technologies experts recommend that users avoid jailbreaking or rooting their devices, download applications only from official stores, avoid visiting suspicious websites or following unknown links from SMS and chat messages, and always install the latest updates for OS and mobile applications.

Positive Technologies analyst Olga Zinenko says, “Banks are not protected from reverse engineering of their mobile apps. Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in cleartext, and make errors allowing hackers to bypass authentication and authorisation mechanisms and bruteforce user credentials.

"Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits, and the phone number associated with a victim's card.”

Zinenko says, “We urge that banks do a better job of emphasising application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”

Story image
How to stay ahead of the next cyber breach
With so many people working from home, the corresponding surge in app usage, unmanaged devices, web traffic and accessing internal resources is making security a much trickier prospect.More
Story image
CIOs massively underestimate Secure Shell risks - study
While CIOs say they are concerned about the security risks SSH machine identities pose, Venafi data indicates they seriously underestimate the scope of these risks. More
Story image
Kaseya acquires RocketCyber to bring SOC solutions to more businesses
"With this acquisition, we've doubled down on our security investments to provide our customers with access to experts who can continuously monitoring their IT environments without the cost and complexity of disparate tools.”More
Story image
Creating a strong culture of security within organisations
CISOs worldwide are inherently aware of how significant investment in cybersecurity strategies and technologies can bolster an organisation’s protection against cyberattacks. However, many overlook the importance of culture when it comes to cybersecurity.More
Story image
Check Point launches security gateways to protect SMBs against threats
The range of six gateways sets new standards of protection against the most advanced cyber attacks for SMBs, giving greater ease of deployment and management.More
Story image
AppDynamics launches Cisco Secure Application to protect against vulnerabilities
AppDynamics, part of Cisco, has released Cisco Secure Application, a solution designed to simplify vulnerability management, defend against cyber attacks and protect applications.More