Recently, Positive Technologies (a cybersecurity company) conducted a study on 14 well-reputed banking apps downloadable in both Android and iOS devices. Alarmingly, the results indicated that none of the applications came with a decent level of security.
It was found out that every single application included vulnerabilities. Limited obfuscation, lack of protection against repackaging and code injection, and code packed with class and method names were some of the security flaws which were found in all tested apps.
The study also revealed that the vulnerabilities discovered in the iOS version of the apps in question pose a “medium” risk at the most. Android versions of many of these apps, on the other hand, were found to consist of high-risk flaws.
Perhaps, the most concerning part about these vulnerabilities, is that a hacker doesn’t even require access to the application’s server-side in many cases. Most of the security issues that occur on the client-side can continue without the hacker having access to the victim’s device. All the hacker needs to do is convince the target into clicking a malicious link or trap them via other phishing tactics.
The study also revealed that 13 out of the 14 tested apps grant unauthorized access to user information, and are prone to man-in-the-middle attacks. Moreover, 11 apps even grant unauthorized access to the app itself.
Now, coming to the issues on the server-side, the major problems here are poor authentication, identification issue, and brute force attacks. These flaws could provide hackers with an opening to steal sensitive information and money from the account.
On a positive note (as far as the client-side is concerned), around 87% of the flaws could be exploited only if user interaction takes place. Therefore, it was clearly mentioned in the report that users who have mobile banking applications installed on their phones should refrain from jailbreaking and rooting, only download apps of verified developers, keep their gadgets and apps updated at all times, and never click on suspicious links.
Olga Zinenko, an analyst at Positive Technologies urged the banks to emphasize app security throughout both design and development. She added that it is essential to follow SSDL (Secure Software Development Lifecycle) practices and guarantee security at every stage of the application lifecycle.
Read next: Google Play Store Is Testing A New Way To Purchase Android Subscriptions Without Requiring To Install The App
It was found out that every single application included vulnerabilities. Limited obfuscation, lack of protection against repackaging and code injection, and code packed with class and method names were some of the security flaws which were found in all tested apps.
The study also revealed that the vulnerabilities discovered in the iOS version of the apps in question pose a “medium” risk at the most. Android versions of many of these apps, on the other hand, were found to consist of high-risk flaws.
Perhaps, the most concerning part about these vulnerabilities, is that a hacker doesn’t even require access to the application’s server-side in many cases. Most of the security issues that occur on the client-side can continue without the hacker having access to the victim’s device. All the hacker needs to do is convince the target into clicking a malicious link or trap them via other phishing tactics.
The study also revealed that 13 out of the 14 tested apps grant unauthorized access to user information, and are prone to man-in-the-middle attacks. Moreover, 11 apps even grant unauthorized access to the app itself.
Now, coming to the issues on the server-side, the major problems here are poor authentication, identification issue, and brute force attacks. These flaws could provide hackers with an opening to steal sensitive information and money from the account.
On a positive note (as far as the client-side is concerned), around 87% of the flaws could be exploited only if user interaction takes place. Therefore, it was clearly mentioned in the report that users who have mobile banking applications installed on their phones should refrain from jailbreaking and rooting, only download apps of verified developers, keep their gadgets and apps updated at all times, and never click on suspicious links.
Olga Zinenko, an analyst at Positive Technologies urged the banks to emphasize app security throughout both design and development. She added that it is essential to follow SSDL (Secure Software Development Lifecycle) practices and guarantee security at every stage of the application lifecycle.
Read next: Google Play Store Is Testing A New Way To Purchase Android Subscriptions Without Requiring To Install The App