Financial mobile apps come with
large numbers of vulnerabilities stemming from a dangerous lack of security
controls and insecure coding practices, according to a report prepared
by advisory firm Aite Group for Arxan.
While the report's findings are
quite illuminating, the researchers do not provide the names of the apps they
tested nor the names of the financial institutions (FIs) with insecure
mobile apps.
The only information regarding the
apps is that they are "produced by companies headquartered in
the U.S. and Europe" and that they were accessed "via the Google Play
store and downloaded using an LG G Pad X2 8.0 Plus Android tablet running
Android version 7.0, patch level April 1, 2017, Kernel Version 3.18.31."
Also, as Senior Analyst at Aite Group
Alissa Knight told BleepingComputer,
Aite Group "chose not to contact the FIs regarding the vulnerabilities
either due to the perception it may have had to inform many who may be clients
that we reverse engineered their apps, found vulnerabilities, and did not work
with them in the research."
Almost all analyzed
apps lacked binary code protection
As detailed in the report, many of the
midsize and large financial institutions which provide their users with mobile
applications to ease the use of their services are apparently ignoring to
include encryption capabilities and to implement code hardening coding
practices designed to protect mobile apps from tampering.
The vulnerabilities found to impact
many of the 30 financial institutions' Android apps tested during the research
could lead to "exposure of source code, sensitive data stored in apps,
access to back-end servers via APIs, and more."
"During this research project, it
took me 8.5 minutes on average to crack into an application and begin to freely
read the underlying code, identify APIs, read file names, access sensitive data
and more," said Knight.
To be more exact, 97% of the total
number of apps were easily reverse engineered or decompiled because they lacked
binary code protection, while 90% allowed their data to be shared with other
applications installed on the same device via shared services.
In addition, sensitive financial
data was stored in the external storage and in the OS clipboard exposing it to
unauthorized access via APIs in the case of 83% of the tested apps, with
another 70% of them used "an insecure random-number generator, a security
measure that relies on random values to restrict access to a sensitive
resource, making the values easily guessed and hackable."
80% of apps allow adversaries to
decrypt data
To make things even worse, 80% of
the examined Android apps as part of the experiment were found be using either
weak encryption algorithms or incorrect implementations of strong ciphers thus
making it easy for malicious actors to decrypt and steal sensitive information.
"Virtually none of the
apps tested in this research had app security measures in place that could even
detect an app was being reverse-engineered, let alone actively defend against
any malicious activity originating from code level tampering," states
Aaron Lint, Chief Scientist and VP of Research, Arxan.
The report concluded
that FIs developers hard code API secrets and private keys in mobile
apps which lack binary protections and also fail to use sandboxing to make sure
that sensitive data is securely stored in secured/encrypted memory space.
Also, mobile apps provided by financial
institutions from services sectors such as "financial services sectors:
retail banking, credit card, mobile payment, cryptocurrency, HSA, retail
brokerage, health insurance, and auto insurance" require code
obfuscation and stronger or correctly implemented encryption.
Click here for the original article.