Vast majority of finance mobile apps vulnerable to hackers

Michael Somerville

A new report has found that the vast majority of financial mobile apps on the Google Play store are vulnerable to hackers with 83 per cent of the apps analysed found to store data in an insecure way.

The report, by advisory firm Aite Group on behalf of app security firm Arxan Technologies, analysed the mobile apps of 30 financial institutions, which weren’t directly identified, in the sectors of retail banking, credit card, health and car insurance, cryptocurrency, mobile payment, retail brokers and HSA (health savings account).

It found that 83 per cent of apps had weak storage outside the app which meant secret APIs keys were able to be accessed by hackers and then sent to the hacker's servers. 90 per cent of the apps were unintentionally leaking data to other apps and almost all (97 per cent) of the apps tested negatively for binary code protection which meant the apps source code could be analysed and tampered with which allows hackers to find other vulnerabilities in the code.

Aite Group senior analyst Alissa Knight authored the report and said: “With (financial institutions) holding such sensitive financial and personal data — and operating in such stringent regulatory environments — it is shocking to see just how many of their applications lack basic secure coding practices and app security protections.”

An insecure app risked:

  • Account takeovers
  • ID Fraud
  • ID theft
  • Credit application fraud

She added: “It’s clear from the findings that the industry needs to address the vulnerability epidemic throughout its mobile apps and employ a defense-in-depth approach to securing mobile applications — starting with app protection, threat detection and encryption capabilities implemented at the code level.”

Jake Moore, security specialist at internet security firm Eset said, "CTOs need to be aware of such vulnerabilities and should actively and constantly target and break their own apps to make them stronger. Ethically hacking your own code will help in the fight to protect customer data which will constantly be targeted amongst hackers around the world. Regulation will add substance and a voice of authenticity but sadly tends to just add confusion rather than provide a clear roadmap to enable 100 per cent protected systems.”

Sarah Whipp, CMO of ID firm Callsign commented: "A more robust approach would be to apply intelligence feeds which can analyse data points such as device, location, and behavioural data. These feeds, when combined can determine if the activity is veering from the norm. This combined with a strong policy engine and MFA provides a more comprehensive solution.”