Android banking and finance apps’ security found wanting

Many mobile finance apps are littered with bugs that could allow attackers to access users’ sensitive data, a report revealed this week.

The smallest providers of mobile financial apps had the best security practices, while the larger players produced the most vulnerable apps, according to a six-week analysis commissioned by application protection company Arxan.

The report, In Plain Sight: The Vulnerability Epidemic in Financial Mobile Apps, evaluated 30 mobile financial apps spanning eight types: retail banking, credit card, mobile payment, cryptocurrency, health savings accounts (HSA), retail brokerage, health insurance, and auto insurance. It found a range of vulnerabilities in the apps (whose names it redacted), including a lack of binary protections, which allow an attacker to decompile the app.

As the report explains, decompiling an application involves reversing it to reveal its original source code. This provides a treasure trove of sensitive information, potentially including application programming interface (API) keys, private certificates, and URLs hardcoded into the software. The report found that 27% of the apps either hard-coded API keys and private certificates in their source code or stored them insecurely in the device’s file system.

Decompilation can also allow adversaries to better understand the application logic and find flaws in it, or simply to tamper with the software and introduce malicious code before recompiling and distributing it. This translates to some real-world dangers, it said:

All of these threats stemming from the ability to decompile the app may lead to a range of exploits against FIs or their customers, including account takeovers, synthetic identity fraud, credit application fraud, identity theft, gift-card cracking, and credential stuffing attacks.

Other security flaws in these apps included insecure data storage, in which apps stored data in the device’s local file system, in external storage, or copied to the clipboard. The report found that 83% of apps were guilty of this, which could allow attackers to access sensitive data.

Furthermore, 80% of the apps used weak encryption, which could enable attackers to decrypt sensitive financial data, while 70% used insecure random number generation, which can make any secrets produced by the app guessable by a third party.

Some apps shared services with other apps on the mobile devices, creating potential data leakage issues. And 43% of the apps were vulnerable to client-side injection, where a web page displayed directly in the app could force it to execute malicious code.

What’s more, 10% of apps trusted any digital certificates shown to them, enabling someone to impersonate a bank using a man-in-the-middle attack.

Of the 180 critical vulnerabilities discovered across the 30 apps, retail banking apps had the greatest number. Retail brokerages and auto insurance companies ranked next. Cryptocurrency apps fared pretty well, though, implementing the most security controls, the report said.

Financial software isn’t the only category of software that regularly blots its security copybook. The report concluded:

While the findings in this report are specific to these companies, many of them are systemic across all of the mobile apps tested, and other types of companies should use them as a guide for securing their mobile apps