Popular mobile banking apps are riddled with security flaws, and Android users are more at risk

popular-mobile-banking-apps-are-riddled-with-security-flaws,-and-android-users-are-more-at-risk

A study of banking apps for iOS and Android found poor source code protection, cleartext storage of sensitive data, and other serious flaws that make it easy for attackers to break into accounts.

Getty Images/iStockphoto

A study of banking apps for iOS and Android has led researchers to conclude that “none of the tested mobile banking applications has an acceptable level of security.”

Performed by IT security vendor Positive Technologies, the study tested 14 banking apps available on both iOS and Android that had more than 500,000 downloads each. Despite the small sample size, there are reasons to pay attention to the results. 

Every single app contained vulnerabilities, and three were common to all of them: A lack of obfuscation, no protection against code injection and repackaging, and code that contained names of classes and methods.

In short, use your bank’s mobile app at your own risk.

Luckily for iOS users, none of the flaws discovered in the iOS versions of the apps surveyed was worse than a “medium” risk; by comparison 29% of Android banking apps contained high-risk flaws. 

The vulnerabilities uncovered in the study put individual users, and business clients, directly in harm’s way, and in many cases an attacker doesn’t even need to gain access to the server side of a banking app to do damage. 

Client-side apps are those that are installed on personal devices, and they account for 46% of the issues discovered. Of those issues, 76% can be exploited without an attacker having physical access to the target device, only requiring the attacker to successfully phish a target or otherwise get them to click on a malicious link or run a harmful script. 

Of the vulnerabilities on the client side, three stand out as being particularly widespread: 13 of 14 apps allow unauthorized access to user data, 13 of 14 are vulnerable to man-in-the-middle attacks, and 11 of 14 apps allow unauthorized access to the application itself. 

SEE: Security Awareness and Training policy (TechRepublic Premium)

Things aren’t much better on the server side, where more than half of the apps contain a high-risk vulnerability. 

The top problems on the server side of mobile banking come in the form of insufficient authentication, brute force vulnerability, and application identification failure, all of which can be used to impersonate a user to steal data and illegally transfer funds.

What can be learned from poor mobile banking security

If there’s one bright spot in the study it’s that (at least on the client side) only 37% of vulnerabilities can be taken advantage of without a device being jailbroken or rooted. 

There’s no reliable way to measure how many iOS or Android devices have been jailbroken or rooted, but estimates come in somewhere around less than 1% of iPhones, and around 7.6% of Android devices, at least as of a few years ago (newer statistics are hard to find). 

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

The report concludes that those who use mobile banking apps should avoid rooting and jailbreaking, never to install applications from unofficial sources, not to click links sent by strangers, and to always keep devices and applications up to date. 

“In 87% of cases, user interaction is required for a vulnerability to be exploited,” the report said. 

“We urge that banks do a better job of emphasizing application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL [Secure software development lifecycle] practices and ensuring security at all stages of the application lifecycle,” said Positive Technologies analyst Olga Zinenko. 

That lesson extends to any business with an app that deals in sensitive data: Develop securely from the beginning, review old code to make sure it’s not vulnerable, and thoroughly test apps before releasing them to the public.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays



Sign up today

Also see

Most of the world’s most popular passwords can be cracked in under a second

most-of-the-world’s-most-popular-passwords-can-be-cracked-in-under-a-second

Hackers who use brute force attacks can easily compromise accounts with weak passwords, according to Nordpass.

Image: MyImages_Micha, Getty Images/iStockphoto

Passwords have turned into a necessary evil, particularly for people who use dozens or hundreds of apps, websites, and other services. Follow the usual rules and create a strong, complex password for each account, and there’s no way for you to manage them all on your own. Break the rules and use the same weak passwords on all or most of your accounts, and you risk the threat of compromise from hackers.

SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)

But just how vulnerable are you if you do use weak or popular passwords? New research from password manager Nordpass shows just how quickly a hacker can crack a popular password.

Around 70% of the world’s most popular passwords can be cracked in less than a second, according to Nordpass. The passwords to which the company is referring are 9 of the 10 most popular passwords used in 2019. The following table lists the passwords along with the time it takes to crack them and the number of times they’ve been compromised in data breaches.

Password How long does it take to hack? How many times has it been exposed?
12345 Less than a second  2,380,800
123456 Less than a second  23,547,453
123456789 Less than a second  7,799,814
test1 Less than a second  13,518
Password Less than a second  130,999
12345678 Less than a second 2,938,594
zinch Less than a second 14
g_czechout 12 days Never
asdf Less than a second 315,892
qwerty Less than a second 3,912,816

Hackers can use a range of tricks to try to obtain passwords used for online accounts. But the most common method is the brute-force attack, which relies on automated tools to do the dirty work. Under this scenario, cybercriminals gain access to certain account information through a data breach. Most websites, at least secure ones, don’t store your passwords in plain text; rather your passwords are saved using some type of encryption algorithm. In this case, the hackers learn the names, email addresses, street addresses, phone numbers, and other data for each breached account. The password is the one missing element.

To crack your password, hackers might first use a brute-force attack tool to run through all the popular and common passwords. Next, they may scour your other account information for clues to your password. Some cracking tools can modify these details by adding more data such as numbers or special symbols.

SEE: The end of passwords: Industry experts explore the possibilities and challenges (TechRepublic)

Hackers can also translate words into Leetspeak, which converts letters to numbers or special characters. As an example, the word “password” might become “p422W0Rd.” They can also use rainbow tables, which try to match plain-text passwords with their hashed values. Further, hackers will look for more of your breached online accounts to see whether you’ve reused the same password. In the end, the weaker your password, the more vulnerable you are to account compromise.

“Millions of people still use generic, popular, and widely-used passwords,” Chad Hammond, a security expert at NordPass, said in a press release. “While these might be easier to remember, people are doing hackers a huge favor by using them, as it will only take a second to crack such a weak password.”

To protect your online accounts and passwords, Hammond offered the following tips:

  1. Use a password generator. “Password generators are great tools that can generate complex passwords in seconds,” Hammond said. “Sadly, they are still massively underused. Recent research by Kaspersky suggests that a whopping 83% of respondents make up their passwords instead of using some sort of tool that will do it for them.”
  2. Go over all your accounts and delete the ones you no longer use. If a small, obscure website ends up breached, you might never even hear about it. Use a site like haveibeenpwned.com to see if your email has ever been compromised.
  3. Use two-factor authentication (2FA) if you can. Whether it’s an app, biometric data, or hardware security key, your accounts will be much safer if you add that extra layer of protection.
  4. Regularly check each of your accounts for suspicious activities. If you notice something unusual, change your password immediately.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays



Sign up today

Also see