Researchers uncover 180 vulnerabilities in 30 financial services apps
4 April 2019
A widespread absence of application security controls and secure coding along with weak encryption standards have rendered a large number of financial services apps vulnerable to data leakage, revere engineering attacks, and decryption of sensitive data.
After analysing thirty financial services apps for Android that were available on the Google Play Store, security researchers at Arxan Technologies found as many as 180 serious vulnerabilities in such apps that could enable hackers to carry out identity theft, account fraud, and tamper with source codes of such apps.
These vulnerabilities ranged from lack of binary protections, private key exposure, client-side injection, trusting of all certificates, weak encryption, insecure random-number generation, insecure data storage, and unintended data leakage.
Majority of financial services apps feature basic vulnerabilities
Detailed research into the financial services apps further revealed that while 90% of the apps shared services with other applications on a device thereby leaving app data accessible to other apps, 83% of these apps insecurely stored data outside of the application’s control such as in the local file system or external storage, and 80% of these apps implemented weak encryption algorithms or lacked a strong cipher.
The researchers also found that while 97% of all financial services apps tested by them lacked binary code protection, making it possible for malicious actors to reverse engineer or decompile the apps exposing source code to analysis and tampering, 70% of the apps used an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable
While 100% of retail banking apps displayed vulnerabilities such as lack of binary protections, insecure data storage, unintended data leakage, weak encryption, exposure of database parameters and SQL queries, and insecure random-number generation, all apps owned by credit card issuers featured weak encryption, insecure data storage, unintended data leakage, and insecure random-number generation.
These vulnerabilities were also observed in a large number of mobile payment apps, apps run by retail brokers, those by health insurers, those by auto insurers, HSA banks, and those that permitted cryptocurrency payments. The most common flaw in all financial services apps was the lack of adequate application security technology that enabled hackers to reverse engineer and gain access to keys and other sensitive data.
Vulnerable apps exposing customers to malicious actors
What’s more worrying is that many financial services lack the ability to detect reverse engineering that prevents them from mitigating attacks before they become widespread. Also, an alarming amount of sensitive data surrounding API servers and encryption keys were found stored within the apps, thereby placing backend systems and data at great risk.
“Android app permissions are umbrella-like. Sometimes an app needs access to a single resource, but its developer is forced to package that permission in a larger set of access rights, inadvertently enabling the app to access a lot more than what is strictly required. With this greater access to customer information comes greater responsibility. If the app can’t store and manage this information securely, then customers are left exposed to data theft and identity fraud,” said Frans Labuschagne, UK & Ireland country manager at Entersekt.
“As goal-driven human beings, most of us will accept all the permissions to access the functionality we want without too much regard for our privacy and the security of our data. However, in a world where privacy and security are becoming greater concerns for everyone, we must find a way to manage what apps can do more effectively, securely, and transparently. In pursuit of an engaging digital customer experience, it is vital that banks don’t allow security to simply fall by the wayside,” he added.