[BreachExchange] How financial institutions are risking customer data through insecure mobile apps

Destry Winant destry at riskbasedsecurity.com
Thu Apr 4 03:11:54 EDT 2019


https://www.techrepublic.com/article/how-financial-institutions-are-risking-customer-data-through-insecure-mobile-apps/

Banks and other financial companies are putting consumer data at risk
by not properly securing their mobile apps, according to a Tuesday
report from Aite Group and Arxan Technologies.

The report discovered several key security flaws among 30 mobile apps
offered by financial institutions. Almost all of the apps researched
could easily be reverse engineered, providing access to sensitive
source code data, including account credentials, API keys, server file
locations, and incorrectly stored health savings account information.

In the report, 97% of the apps tested lacked the proper code
protection, opening themselves up to reverse engineering or
decompiling. Some 90% of the financial institution (FI) apps shared
services with other programs on the device, while 83% insecurely
stored data by housing it in the device's file system and external
data or by copying content to the clipboard. Such flaws expose the
data to use by other apps on the device.

Some 80% of the FI apps used weak encryption algorithms or incorrectly
implemented strong ciphers, potentially exposing the data to
decryption and theft. Further, 70% of the apps used insecure random
number generators to limit access to sensitive information, a flaw
that makes the numerical values easy to guess. The vulnerabilities
uncovered open the door to such threats as account takeovers, identity
theft, credit application fraud, gift-card cracking, and credential
stuffing attacks, according to the report.

"During this research project, it took me 8.5 minutes on average to
crack into an application and begin to freely read the underlying
code, identify APIs, read file names, access sensitive data and more,"
Aite Group senior analyst Alissa Knight said in a press release. "With
FIs holding such sensitive financial and personal data — and operating
in such stringent regulatory environments — it is shocking to see just
how many of their applications lack basic secure coding practices and
app security protections."

Apps from the retail banking, retail brokerage, and auto insurance
sectors had the greatest number of security vulnerabilities, the
report found. Health Savings Account apps had the fewest number of
security flaws.

"It's no secret that the finance industry is a hot target because the
payload is cold, hard cash," Arxan chief scientist and VP of research
Aaron Lint said in the press release. "Virtually none of the apps
tested in this research had app security measures in place that could
even detect an app was being reverse-engineered, let alone actively
defend against any malicious activity originating from code level
tampering."

To better protect customer data, financial companies should adopt a
more comprehensive approach to security, according to the report.
Those approaches might include app shielding, encryption, and threat
detection and response. Developers of such apps should also be trained
in the use of secure programming and should implement security
measures during the software development cycle. Further, app security
must offer protection against specific threats such as reverse
engineering, malware debugging, device cloning, external screen
sharing, and man-in-the-middle attacks.

Conducted over six weeks, Aite's investigation looked at 30 Android
apps downloaded from Google Play and used on an LG G Pad 8.0 Plus
tablet with Android version 7.0. The researcher did not test iOS apps
for the study, citing a tight timeframe in which to conduct the
research, but said she believes the iOS versions of the apps would
have the same issues.

The apps tested spanned eight financial sectors, including retail
banking, credit card, mobile payment, cryptocurrency, health savings
accounts, retail brokerage, health insurance, and auto insurance. The
size of the companies covered ranged from small and middle-market
firms to large institutions with more than $10 billion in market
capitalization.


More information about the BreachExchange mailing list