Financial mobile apps come with large numbers of vulnerabilities stemming from a dangerous lack of security controls and insecure coding practices, according to a report prepared by advisory firm Aite Group for Arxan.
While the report’s findings are quite illuminating, the researchers do not provide the names of the apps they tested nor the names of the financial institutions (FIs) with insecure mobile apps.
The only information regarding the apps is that they are “produced by companies headquartered in the U.S. and Europe” and that they were accessed “via the Google Play store and downloaded using an LG G Pad X2 8.0 Plus Android tablet running Android version 7.0, patch level April 1, 2017, Kernel Version 3.18.31.”
Also, as Senior Analyst at Aite Group Alissa Knight told BleepingComputer, Aite Group “chose not to contact the FIs regarding the vulnerabilities either due to the perception it may have had to inform many who may be clients that we reverse engineered their apps, found vulnerabilities, and did not work with them in the research.”
Almost all analyzed apps lacked binary code protection
As detailed in the report, many of the midsize and large financial institutions which provide their users with mobile applications to ease the use of their services are apparently ignoring to include encryption capabilities and to implement code hardening coding practices designed to protect mobile apps from tampering.
The vulnerabilities found to impact many of the 30 financial institutions’ Android apps tested during the research could lead to “exposure of source code, sensitive data stored in apps, access to back-end servers via APIs, and more.”
“During this research project, it took me 8.5 minutes on average to crack into an application and begin to freely read the underlying code, identify APIs, read file names, access sensitive data and more,” said Knight.
To be more exact, 97% of the total number of apps were easily reverse engineered or decompiled because they lacked binary code protection, while 90% allowed their data to be shared with other applications installed on the same device via shared services.
In addition, sensitive financial data was stored in the external storage and in the OS clipboard exposing it to unauthorized access via APIs in the case of 83% of the tested apps, with another 70% of them used “an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable.”
80% of apps allow adversaries to decrypt data
To make things even worse, 80% of the examined Android apps as part of the experiment were found be using either weak encryption algorithms or incorrect implementations of strong ciphers thus making it easy for malicious actors to decrypt and steal sensitive information.
“Virtually none of the apps tested in this research had app security measures in place that could even detect an app was being reverse-engineered, let alone actively defend against any malicious activity originating from code level tampering,” states Aaron Lint, Chief Scientist and VP of Research, Arxan.
The report concluded that FIs developers hard code API secrets and private keys in mobile apps which lack binary protections and also fail to use sandboxing to make sure that sensitive data is securely stored in secured/encrypted memory space.
Also, mobile apps provided by financial institutions from services sectors such as “financial services sectors: retail banking, credit card, mobile payment, cryptocurrency, HSA, retail brokerage, health insurance, and auto insurance” require code obfuscation and stronger or correctly implemented encryption.