How Financial Apps Could Render You Vulnerable to Attacks
There is a major shift in how customers interact with their respective banks. Transactions that used to happen inside a browser are now done through mobile apps. What is good when it comes to banking online using a web browser is the assurance that the user is interacting with an official encrypted banking website. This “safety net” of seeing the address bar URL starting in “https://” is slowly fading, as users are migrating their online banking to smartphone apps.
Banking apps are very new technology compared to the tried and tested online banking through a browser. This has been proven by Arxan Technologies, as the firm released its report titled: “The Vulnerability Epidemic in Financial Services Mobile Apps”. Represented by Alissa Knight, a security researcher of its partner firm, Aite Group has probed the top 30 financial apps hosted in the Google Play Store.
Knight’s team discovered that many of the apps were developed in such a way that can be reverse-engineered by any hacker today. Upon their further checking, a simple reverse-engineering of the code reveals the user’s banking information, stuff that should be encrypted in the first place.
The use of unprotected data storage algorithm, irresponsible handling of user credentials stored inside the app itself and general weak or absence of encryption. With an easy and lenient policy of Google Play Store publishing, these weak apps are downloaded by users thousands of times.
“During this research project, it took me 8.5 minutes on average to crack into an application and begin to freely read the underlying code, identify APIs, read file names, access sensitive data and more. With [financial institutions] holding such sensitive financial and personal data and operating in such stringent regulatory environments, it is shocking to see just how many of their applications lack basic secure coding practices and app security protections,” explained Alissa Knight.
Majority of the apps examined were also sharing data with other apps inside the device, hence these 3rd party apps gets access to banking data, a huge risks users does not know until now. Devastating revelation is any app installed with enough permission can read the data used by the checked financial apps.
“The large number of vulnerabilities exposed from decompiling these applications poses a direct threat to financial institutions and their customers. These resulting threats ranged from account takeovers, credit application fraud, synthetic identity fraud, identity theft and more. 70% of the apps use an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable,” added Knight.
Apps should be developed with reasonable QA standards, unfortunately, the development teams releasing these apps comprising only a few people. There are not enough personnel for them to do internal security auditing. It is better to delay the release of new version of the app in order to release security updates instead. All developers need to have a change of mindset of prioritizing security updates vs feature updates. Feature updates have tendency to add more security bugs into the apps if not done correctly.