Financial Apps Are Vulnerable

Despite the growing cybersecurity threat targeting mobile financial services applications, many financial institutions are failing when it comes to protecting their apps. 
 
Research conducted by advisory firm Aite Group uncovered widespread security deficiencies among mobile consumer finance apps leading to the exposure of source code, personally identifiable information, account credentials and access to backend systems. 
 
Aite Group examined the protective capabilities of 30 different financial services applications found on the Google Play store. Using commonly available software tools, nearly all of the apps were easily reverse engineered, revealing a systemic lack of application-appropriate protection and coding best practices. 
 
Among the key vulnerabilities the research uncovered:
 
Lack of Binary Protections — 97% of all apps tested lacked binary code protection, making it possible to reverse engineer or decompile the apps exposing source code to analysis and tampering.
 
Unintended Data Leakage — 90% of the apps tested shared services with other applications on the device, leaving data from the financial institution’s application’s app accessible to any other application on the device.
 
Insecure Data Storage — 83% of the apps tested insecurely stored data outside of the application's control, for example, in a device’s local file system, external storage, and copied data to the clipboard allowing shared access with other apps; and exposed a new attack surface via APIs.
 
Weak Encryption — 80% of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed.
 
Insecure Random-Number Generation — 70% of the apps use an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable
 
Arxan
 
You Might Also Read:
 
Security Flaw Puts UK Bank Customers At Risk:
 
 
« The Brexit Shaped Gap In UK Cyber Security
Cyber Knowledge The Easy Way »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Andrisoft

Andrisoft

Andrisoft develops WANGUARD, an anti-DDoS Software solution that monitors IP traffic using packet-based and flow-based Sensors, and protects networks

Oppida

Oppida

Oppida provides tailored IT security services to help you identify security gaps and assist in finding the most effective remediation.

High Sec Labs (HSL)

High Sec Labs (HSL)

High Sec Labs develops high-quality, cyber-defense solutions in the field of network and peripheral isolation.

Nation-E

Nation-E

Nation-E offers innovative cyber security solutions for industrial installations, critical infrastructure and smart grids.

Bavarian IT Security Cluster

Bavarian IT Security Cluster

The Bavarian IT Security Cluster works to build regional IT security competencies and increase the competitiveness and market opportunities of its member companies.

CodeSealer

CodeSealer

CodeSealer provide invisible end-to-end user interface protection with a unique web security solution to eliminate Man-in-the-Middle and Man-in-the-Browser vulnerabilties.

PrivateVPN

PrivateVPN

PrivateVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

GovCERT Austria

GovCERT Austria

GovCERT Austria is the Austrian Government Computer Emergency Response Team. Its constituency consists of Austria's public administration.

SenseOn

SenseOn

SenseOn’s multiple threat-detection senses work together to detect malicious activity across an organisation’s entire digital estate, covering the gaps that single point solutions create.

Antares NetlogiX

Antares NetlogiX

Antares Netlogix are a leading Austrian service provider for IT security, critical infrastructures and managed security services.

Presidio Identity

Presidio Identity

Presidio Identity offers a digital-native approach that brings security, privacy, and simplicity to user authentication and digital interactions.

ViewQwest

ViewQwest

ViewQwest is a regional telecommunications & information technology services company. We specialize in providing Connectivity, Managed Network, Managed SD-WAN, and Managed Security solutions.

ThreatDefence

ThreatDefence

ThreatDefence provides innovative SIEM, SOC-as-a-Service, and proactive cyber defence solutions to MSP’s and Enterprises.

BSS

BSS

BSS is a solutions and services business based in the UK with a focus on Cyber Security, Data, Financial Crime, Internal Audit, Change, Risk and Resilience.

Exiger

Exiger

Exiger is revolutionizing the way corporations, government agencies and banks navigate risk and compliance in their third-parties, supply chains and customers.

Tranchulus

Tranchulus

Tranchulus are a global provider of offensive and defensive cyber solutions, information security assessment, compliance and managed security services.