Third-Party Tested Several Android Banking Apps, Proving Just How Vulnerable They Are
A report prepared by the advisory firm, Aite Group for Arxan, confirms financial mobile apps are full of vulnerabilities. According to their findings these gaps stem from a lack of security controls and insecure coding within the apps themselves.
Although the results are rather enlightening, the advisory firm opted not to provide the names of the apps or financial institutions within their report. The only information disclosed was that each company was headquartered in either the U.S. or Europe, and the apps were accessible within the Google Play Store. This doesn’t exactly help narrow down the options, considering any major banking institution’s mobile app can be found in the Google Play Store.
Unfortunately, it appears the security issues found by the Aite Group will likely go unresolved for some time, as the advisory firm has opted not to contact the financial institutions regarding the vulnerabilities.
The findings, as detailed in the report, confirm the banking institutions tested are choosing not to include encryption capabilities and are failing to implement code hardening coding practices. Both of these controls are designed to protect mobile apps from being tampered with. By choosing not to deploy these controls, the security of the mobile apps significantly decreases.
One may think, in order to crack the code and begin freely accessing private data, it would take a significant amount of time and skill. However, that is not necessarily the case. The testing group was able to effectively “break into” the application in less than ten minutes. Upon cracking the code, they could identify APIs, read file names, and access sensitive data.
What may be considered even more alarming is, 97% of the tested apps were easily reverse engineered or decompiled, as they lacked binary code protection. Additionally, virtually none of the apps tested had security measures in place to detect if the app was being reverse-engineered or maliciously tampered with.
6,353 total views, 1 views today