Arxan Technologies’ latest research reveals widespread security inadequacies and protection failures among consumer financial apps, leading to the exposure of source code, sensitive data stored in apps, access to back-end servers via APIs, and more.
Senior cybersecurity analyst Alissa Knight, of global research and advisory firm Aite Group, authored In plain sight: The vulnerability epidemic in financial services mobile apps. She examined the mobile apps of 30 financial institutions (FIs) downloaded from the Google Play store across eight financial services sectors: retail banking, credit card, mobile payment, cryptocurrency, HSA, retail brokerage, health insurance, and auto insurance.
Using tools readily available on the internet, Knight found nearly all of the applications could easily be reverse engineered allowing access to sensitive information stored inside the source code, such as improperly stored PII, account credentials, server-side file locations, API keys, and live deployment and QA URLs used by the developers for testing the apps.
The research highlights a systemic lack of application appropriate protection such as application shielding, threat detection, encryption, and response technology across financial services apps.
Key findings from the research include:
- Lack of binary protections – 97% of all apps tested lacked binary code protection, making it possible to reverse engineer or decompile the apps exposing source code to analysis and tampering.
- Unintended data leakage – 90% of the apps tested shared services with other applications on the device, leaving data from the FI’s app accessible to any other application on the device.
- Insecure data storage – 83% of the apps tested insecurely stored data outside of the apps control, for example, in a device’s local file system, external storage, and copied data to the clipboard allowing shared access with other apps; and, exposed a new attack surface via APIs.
- Weak encryption – 80% of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed.
- Insecure Random-Number Generation – 70% of the apps use an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable.
“During this research project, it took me 8.5 minutes on average to crack into an application and begin to freely read the underlying code, identify APIs, read file names, access sensitive data and more,” said Alissa Knight, senior analyst at Aite Group.
“With FIs holding such sensitive financial and personal data – and operating in such stringent regulatory environments – it is shocking to see just how many of their applications lack basic secure coding practices and app security protections. The large number of vulnerabilities exposed from decompiling these applications poses a direct threat to financial institutions and their customers.
“These resulting threats ranged from account takeovers, credit application fraud, synthetic identity fraud, identity theft and more. It’s clear from the findings that the industry needs to address the vulnerability epidemic throughout its mobile apps and employ a defense-in-depth approach to securing mobile applications – starting with app protection, threat detection and encryption capabilities implemented at the code level.
“Of all the findings, the most shocking was without a doubt, the SQL queries exposing information on the backend databases hard coded in the app along with private keys being stored unencrypted in different sub-directories.”