Android banking and finance apps’ security found wanting
The smallest providers of mobile financial apps had the best security practices, while the larger players produced the most vulnerable apps, according to a six-week analysis commissioned by application protection company Arxan.
The report, In Plain Sight: The Vulnerability Epidemic in Financial Mobile Apps, evaluated 30 mobile financial apps spanning eight types: retail banking, credit card, mobile payment, cryptocurrency, health savings accounts (HSA), retail brokerage, health insurance, and auto insurance. It found a range of vulnerabilities in the apps (whose names it redacted), including a lack of binary protections, which allow an attacker to decompile the app.
As the report explains, decompiling an application involves reversing it to reveal its original source code. This provides a treasure trove of sensitive information, potentially including application programming interface (API) keys, private certificates, and URLs hardcoded into the software. The report found that 27% of the apps either hard-coded API keys and private certificates in their source code or stored them insecurely in the device’s file system.
Decompilation can also allow adversaries to better understand the application logic and find flaws in it, or simply to tamper with the software and introduce malicious code before recompiling and distributing it. This translates to some real-world dangers, it said:
All of these threats stemming from the ability to decompile the app may lead to a range of exploits against FIs or their customers, including account takeovers, synthetic identity fraud, credit application fraud, identity theft, gift-card cracking, and credential stuffing attacks.