With the success of the smartphone, it is now a fact of life that all businesses must adopt a mobile strategy to address their customers’ needs. Consumers are already using mobile devices to perform a variety of financial transactions such as mobile banking, transactions between mobile devices, digital wallet transactions, remote deposits, mobile commerce, and balance transfers and payments.
Technology market research firm Gartner estimates that worldwide mobile payment transactions were $235 billion in 2013 and forecast them to grow to $721 billion by 2017. One example of increased adoption of mobile by financial institutions in the United States is Visa’s V.me digital wallet platform, which Visa reports is supported by 90 banks and over 250 merchants in 2013.
Financial institutions are increasingly turning to branded consumer mobile apps as a way of gaining and retaining mobile-savvy customers. These mobile apps allow consumers to perform transactions such as depositing checks via check images taken from the mobile device, moving money between accounts and checking the status of their accounts. If these apps are not properly protected, they could provide a venue for malware to steal customer’s user credentials (username, PIN, etc.), account information, check images and other information which could be used to crack a customer’s account and steal their financial assets.
Also, if a financial mobile app isn’t properly protected, it is also vulnerable to another pernicious attack, “trojanization”. Trojanization is where a cybercriminal takes a legitimate app and modifies it so that instead of the app performing the tasks originally designed for it, the app actually performs tasks for the cybercriminal such as stealing information from the mobile device. Trojanization is particularly a threat to Android devices because apps distributed through Google Play undergo a less strenuous vetting process and Android devices can also be set to download apps from sources other than Google Play.
Mobile malware attacks are of great concern to financial institutions given their fiduciary responsibilities to their customers and consumers and app developers need to be cautious.
Our own research as well as research performed by security service firm iOActive, has identified multiple security holes in the vast majority of financial mobile apps currently available on the market. These weaknesses are invitations to hackers. We found that in a typical mobile payment app the following nine weaknesses were identified:
- Lack of protection against reverse engineering of code which can be used to decrypt and steal account information
- Lack of jailbreak and/or root detection, making apps vulnerable to reverse engineering and malware
- Unprotected code providing access to credentials, which can be used to maliciously access the bank’s infrastructure
- Sensitive information exposed in log files
- Sensitive information exposed in crash reports, which can be exploited to plant malware or spyware on the victim’s mobile phone
- Unencrypted local database(s) used to store sensitive information that an attacker could steal
- Unprotected app resources and metadata, such as images, which can be used to create a phishing app
- Security holes allowing bank check images to be stolen as they are scanned
- Security holes allowing credit card and bank account information to be stolen as they are entered into the app by reading user interface text fields
It is imperative for financial institutions to take the necessary steps to protect their apps by making them harder to hack and we feel that solutions such as our Cryptanuim™ Mobile Security Solutions are a good place to start.