The state of financial mobile app security
At last count, nearly two-thirds of U.S. smartphone owners use financial apps, and the current number is likely much higher with the COVID-19 pandemic accelerating the push to digital banking and contactless payments. Some financial institutions already report drastic shifts in customer behavior. For example, PNC Bank reported that digital sales jumped from 25% to 75% in Q1 2020. But is mobile financial app security keeping up with this unprecedented pace of adoption?
To investigate, we commissioned an audit of 100 major apps (50 each on iOS and Android) across a range of categories, including banking, investment, and mobile payment. This in-depth report reveals how critically vulnerable the vast majority of financial apps are. It looks into the most prevalent threats to financial app security and the dangers that they pose.
Threats to financial app security
With corporate reputation, security of funds, regulatory compliance, and consumer trust all at risk, mobile app security should be at the forefront of every finance organization’s digital strategy. Yet the study exposed that 98% of tested apps had at least one vulnerability, and a large majority (71%) contained at least one high-level security flaw.
71% of apps contained at least one high-severity vulnerability
The findings show just how prevalent threats to financial mobile applications are and the considerable risk management weighting that needs to be given to financial mobile app security. Many apps included multiple violations of the OWASP mobile top 10. Among the most critical threats were:
- Insufficient Transport Layer Protection: This is an issue where data is not sufficiently protected during transmission. Weaknesses in the transport layer allow hackers to “listen” to communications and perform “man-in-the-middle” attacks to steal sensitive data and session IDs.
- Storing Information in Shared Preferences: This Android-specific vulnerability occurs when unencrypted sensitive data is stored in Shared Preferences APIs, which can be read and edited by hackers and malicious apps.
- Derived Crypto Keys: This risk is created by the inherent weakness of the default encryption method used by the biggest Java security provider API on Android. Weak cryptography allows hackers to decipher encrypted data, manipulate code, and falsify security certificates.
- Misconfigured App Transport Security (ATS): ATS is supposed to be a security feature on iOS that helps to secure communications over networks. We discovered it was surprisingly common for ATS to be misconfigured, making data vulnerable to interception.
- Sensitive Information in SQLite3 Databases: Applications often store persistent or temporary data in SQLite3 databases, which do not automatically have encryption. This means that without an extra financial mobile app security measure, like a drop-in white-box cryptographic library, any data located there when a device is compromised can be read or altered with ease.
What our investigation revealed
Apps were tested using an array of static and dynamic analysis techniques and vulnerabilities rated according to the CVSS independent international threat classification system. Over 90% of the finance apps we analyzed contained four or more vulnerabilities, revealing a stark situation for the banks and financial organizations behind them.
Some of the most serious risks to financial mobile app security, such as cryptographic weaknesses or poor protection around data storage, were also the most prevalent. Key findings of the report include:
- The vast majority of financial services apps (82%) have mishandled and/or weak encryption that puts them at risk for data theft and code manipulation.
- 62% of Android apps and 32% of iOS apps are vulnerable to encryption key extraction.
- Approximately 34% of tested Android apps and 16% of iOS apps failed to adequately protect the transport layer, resulting in insecure communications between the app and server—which could potentially expose data and session IDs.
- The majority of financial apps contain multiple security issues with data storage. For instance, 90% of tested Android apps stored information in Shared Preferences, leaving unencrypted data readily readable and editable by attackers and malicious apps.
- Nearly 70% of the high-level threats discovered could have been mitigated using in-app protection.
Number of apps with a cryptographic issue
Our report on financial mobile app security in the U.S.
The full Intertrust Security Report on U.S. Financial Mobile Apps 2020 contains a detailed analysis of the threats to financial app security. It also provides greater illumination on broader trends in the field, delves into the regulatory compliance implications of specific vulnerabilities, and offers guidelines to help mitigate app vulnerabilities and improve overall financial app security.
It’s vital for financial institutions to fully understand the risks posed by insecure mobile apps, and this investigation adds significantly to that body of knowledge. To read the full report on financial app security, you can download it here.