Over half of bank mobile apps could leave companies and their clients exposed to fraud, according to a new report.
Having looked at 14 smartphone banking apps that were available both on iOS and Android, Positive Technologies found that many of them had some big vulnerabilities.
The researchers said that none of the apps, which had each been downloaded more than 500,000 times, had an acceptable level of security. Positive Technologies said that the apps left both client and server sides at risk.
Client sides were deemed especially vulnerable to unauthorised access to user data, as 43% of applications store important data on the phone in cleartext. Moreover, 76% of mobile banking vulnerabilities ran the risk of being exploited without physical access to the device. And more than a third of vulnerabilities can be exploited without administrator rights.
And it seems that iPhone apps had better security than Android apps with no flaws in iOS banking apps being deemed worse than medium in severity whereas 29% percent of Android apps contain high-risk vulnerabilities.
The server sides of mobile banking applications contain 54% of all vulnerabilities found and, on average, each mobile bank has 23 server side vulnerabilities.
“Banks are not protected from reverse engineering of their mobile apps,” said Olga Zinenko, analyst at Positive Technologies. “Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in cleartext, and make errors allowing hackers to bypass authentication and authorization mechanisms and bruteforce user credentials. Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits, and the phone number associated with a victim’s card.
“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”
Copyright © 2018 RegTech Analyst