Despite some improvements to the security of mobile banking apps over the last two years, research has shown that a significant percentage still leave customer information exposed.Mobile banking apps still fail to sufficiently protect customer information, with significant numbers still containing non-SSL links that send information unencrypted, a researcher from security firm IOActive has found.
Security researcher Ariel Sanchez discovered in 2013 that 90 per cent of apps contained non-SSL links throughout, which attackers could use to intercept traffic as well as to insert scams like fake login prompts that allowed them to steal credentials.
Running the same tests two years after the initial research was conducted showed an improvement, with only 35 per cent of apps demonstrating the same vulnerability in 2015.
30 per cent also did not validate incoming data in 2015, meaning that in total 12.5 per cent of mobile banking apps are vulnerable to man in the middle (MitM) attacks with users exposed to fraud and account hijacking.
Sanchez said that “while overall security has increased over the two-year period, it is not enough, and many apps remain vulnerable”.
Two years later, in 2015, 30 per cent were still vulnerable to the same flaw, allowing client-side attacks due to exposed native iOS functionality enabling remote attackers to send SMSes or emails from victim devices.
Sanchez’s 2013 research also found that 70 per cent of mobile banking apps did not require any form of alternative or multifactor authentication solutions.
His latest findings show that this has not improved significantly over the last two years, as 42.5 per cent of apps still remain without any additional authentication measures.
Although the majority of apps were guilty of this in 2013, 40 per cent of apps still leaked information about user activity and client-server interactions through system or custom logs such as crash reports, which attackers can use to develop zero-day exploits with the intention of targeting users.
Another flaw discovered by Sanchez in 2013 was that one in five sent account activation codes through plain-text communication (HTTP) links, giving attackers a foothold to intercept traffic, hijack sessions and steal account information.
While this no longer appears to be the case, 15 per cent still currently stored unencrypted and sensitive information, such as details about customers’ banking accounts and transaction history, in plain text within the device’s file system.
Furthermore, 17.5 per cent currently had development or hardcoded information in their binary files, 7.5 per cent still did not have compiler protections such as PIE enabled and only 15 per cent had jailbreak protection in place to detect jailbroken devices and alert users to the dangers of using the app within this context.
Sanchez concluded that while most apps had improved their efforts to protect users from MitM attacks and overall numbers of apps subject to certain flaws had decreased, the lack of authentication measures and overall security had not improved sufficiently since 2013.
“There has been a significant improvement in the state of security in banking apps, but they still need to keep working on new and better solutions to keep the data safe of each customer,” Sanchez told Motherboard.
“The key is understanding that security is a business issue rather than an IT issue.”
Sanchez’s full 2013 and 2015 findings can be accessed via the IOActive blog.