- First released in 2020, our annual report focuses on the current state of financial app security.
- We analyzed more than 150 apps across four major financial sectors and five global markets.
- Every app we tested had at least one security flaw; 84% of Android and 70% of iOS apps contained at least one critical or high severity vulnerability.
- Nearly 75% of the high-level threats found could have been avoided with adequate application protection.
Mobile fintech security threats
Financial mobile applications help businesses across all sectors take advantage of growing markets. They create additional value through improved customer experience and reduce costs through process automation. Whether used for traditional banking or payment processing, apps are changing how businesses operate. This steep but steady trend in mobile fintech adoption skyrocketed with the COVID-19 pandemic.
Time spent on financial apps increased 45% in 2020 and some verticals, such as investment apps, even outpaced the uptick in game downloads during the pandemic. This popularity led to a 77% reduction in customer acquisition costs and contributed significantly to the retail investment boom of late 2020.
The value of financial apps for businesses and their customers is clear. Unfortunately, the value of these apps made them a favorite target of cybercriminals to the point that the FBI issued a PSA warning about cyberattacks on banking apps. Hackers used several different methods to attack financial apps in 2020. Here are just a few of the more notable security breaches:
- Ghimob banking trojan. This trojan identifies and monitors the installed finance apps on a device and performs fraudulent transactions in the background while the user looks at an overlay screen.
- EventBot malware. This malware abused Android accessibility features to steal data, read text messages, and bypass two-factor authentication (2FA). It targeted more than 200 popular financial applications, including those in the U.S., Germany, and the U.K.
- Cerberus malware. This malware posed as a cryptocurrency converter app to trick users and reached thousands of downloads before it was detected.
- The Dave.com security breach. The details of 7.5 million users of the “Dave” financial app were compromised after the app was hacked through a third-party analytics provider.
Given increasing attacks, are financial organizations shoring up their fintech security? We conducted an in-depth investigation to find out. Read on for a summary or download the full report now.
Click on the Web Story above to see some key report takeaways at a glance.
The state of financial app security 2021
First released in 2020, our annual report focuses on the current state of financial app security. We believe it is critical for businesses, the government, and customers to accurately gauge the security of the financial apps they produce and use. Considering how prevalent financial apps are in our day-to-day lives, we broadened our 2021 investigation to include more apps and greater geographic distribution.
We chose 160 apps representing business in four major financial sectors: banking, mobile payment, investment/trading, and lending. These apps serve global markets in the U.S., E.U., U.K., South-East Asia (SEA), and India, and all apps were downloaded from Google’s PlayStore or iOS’ App Store. We submitted the selected apps for both static and dynamic analysis, which evaluated vulnerabilities in terms of the Common Vulnerability Scoring System (CVSS).
What our investigation revealed
The overall results of our investigation revealed that the vast majority of apps are at risk. Nearly 85% of Android and 70% of iOS apps contained at least one critical or high severity vulnerability.
The most widespread significant financial app security flaws found in Android apps were weak derived crypto keys (61%) and storing unencrypted information in Shared Preferences (73%). For iOS apps, the most prevalent and serious security flaws were misconfigured App Transport Security (65%) and storing sensitive information in NSUserDefaults (61%).
In terms of sector, the worst offenders were banking apps, of which 81% contained at least one high severity or critical vulnerability and 35% contained more than ten vulnerabilities. Other sectors didn’t fare much better, with at least 75% of apps in other fields having critical or high severity vulnerabilities. Apps from SEA, India, and the E.U. presented the most vulnerabilities, with 38%, 38%, and 29% respectively containing more than ten financial app security flaws.
The risks of inadequate fintech security
The risks to the vendors of financial apps are manifold and continue to negatively impact a business long after the initial attack. Here are some of the most damaging outcomes of a successful fintech security breach.
Sensitive personal identifiable information (PII) and other valuable data including names, passwords, and payment card details can be easily accessed through compromised financial apps. Mobile banking trojans such as Anubis and Ghimob, and other mobile malware, use various techniques to exfiltrate data including keyloggers, overlay screens, and exploiting accessibility services.
Intellectual property theft
Applications often include proprietary algorithms and patented technology, which can be discovered by reverse engineering the code. A breach that reveals IP could place valuable knowledge assets in the hands of competitors or used to make counterfeit financial apps that contain banking trojans or other malware.
Regulatory fines and damage payments
A wealth of global legislation on data security outlines the penalties for breaches of financial app security. For instance, under the E.U.’s GDPR a firm may be fined up to 4% of their global revenue. In addition to fines, breached companies may be required to pay significant compensation to affected users. A notable example is the $300 million (potentially rising to $425 million) compensation fund that Equifax was ordered to set up after they were found negligent in securing their customer data.
Loss in customer confidence
Customers lose trust in companies that suffer cybersecurity breaches. Research shows that 83% of U.S. consumers would stop doing business with an affected firm for at least a few months while over 40% of U.K. customers said they would never do business with them again.
Moreover, it costs more to gain new customers. These costs arise from the extra marketing spend needed to repair brand reputation and business model changes, such as increased product discounts or charging lower service rates.
Increased spending on IT security
Failing to build financial mobile app security into development processes creates a security debt that will need to be addressed later. In the case of an attack, extra security resources will have to be deployed to retroactively secure or decommission existing apps at a significantly greater cost than proactive DevSecOps.
What can be done to improve financial app security?
Given the serious business impacts of a security breach, what can fintech companies do to protect themselves?
A significant discovery in our report is that nearly 75% of the high-severity threats found could have been mitigated with in-app protection technologies. To ensure that their apps are as secure as possible, financial organizations should deploy a number of best practices and application shielding strategies, including:
- Cryptographic key protection
- Code obfuscation
- Anti-debugger protection
- Jailbreak/rooting detection
- Run-time application self-protection (RASP)
- Build diversification
With the wide range of attack vectors and limited built-in protections, financial applications will continue to be a prime target for hackers. The business consequences of successful attacks far outweigh the cost of prevention through application shielding and a robust DevSecOps strategy.
Intertrust is an industry leader in application protection and has helped numerous financial services firms improve their revenue security and comply with regulatory frameworks.
For a detailed analysis of current financial app security risks, download the full 2021 state of finance app security report.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.