Brief:

• Almost all financial services apps have significant security flaws that could be exploited by bad actors, researcher Aite Group found in a study for cybersecurity firm Arxan. Ninety-seven percent of apps tested in the six-week study didn't show any protections from revealing their source code, per the study shared with Mobile Marketer.
• Ninety percent of the apps tested shared services with other apps on the device, leaving the data from a financial institution (FI) app vulnerable to other apps. Eighty-three percent of FI apps stored data insecurely, either outside of a sandbox and in the device's local file system, in external storage or copied to the clipboard, allowing other apps to access it.
• Eighty percent of apps had weak encryption algorithms or the incorrect implementation of a strong cipher, possibly letting adversaries decrypt sensitive data to its original form, where they're vulnerable to theft or manipulation. Aite Group studied apps from the Google Play Store that covered retail banking, credit cards, mobile payments, cryptocurrency, health savings accounts, retail brokerage, and health and auto insurance.

Insight:

Mobile marketers, especially in the financial services business, should be aware of the many possible flaws in their apps. The Arxan-commissioned study reveals the great amount of sensitive data that can be potentially exposed to bad actors. Other common security flaws included insecure random-number generation, client-side injection of malicious code, private key exposure, and readable and writable permissions.

One in three organizations experienced a data breach related to a mobile device, Verizon found in a separate survey of executives in charge of mobile procurement or management. Two-thirds (67%) of those organizations said they're less confident of their mobile security than their other IT assets. Google last month said the percentage of potentially harmful applications (PHAs) in the Google Play store grew to 0.04% in 2018 from 0.02% a year earlier, but the Arxan study looked at apps from major FIs that may generally be considered more secure.

Worries about mobile app security aren't likely to hinder the rapid growth of the mobile payments market, which is forecast to expand by about 33% a year to $457.4 billion in 2026, per IT Intelligence Markets. Apps that offer a range of goods and services with the tap of a smartphone screen will give consumers increasingly convenient shopping and banking experiences. But any app that handles sensitive financial data of customers must provide greater security assurances to draw a more loyal and trusting user base.

As Arxan found, a key vulnerability among FIs is an openness to decompiling, letting hackers peer inside an app's code to find its security flaws. That could lead to account takeovers, synthetic identity fraud, credit application fraud or identity theft, among other risks. The study points to how FIs are failing to write secure code and apply adequate app security technology, such as app shielding with code obfuscation, encryption and threat analytics, to their mobile apps.

Several mobile banking apps studied also hard-coded private certificates and API keys in their apps, making them vulnerable to bad actors. Hackers could exploit this security flaw by copying the private certificates to their computers and running free password-cracking programs against them. Hackers that successfully crack the private keys can decrypt all communication between the back-end servers and mobile devices. The API keys let hackers target an FI's servers and gain access to data in back-end databases, per the study.