Whether it’s paying bills, transferring money, reviewing account balances or even trading stocks, consumers increasingly rely on mobile banking apps from their device, whether it’s a mobile phone or tablet or the smart watch on their wrist. The growth and popularity of fintech or financial technology is spreading rapidly.
A recent market research study found consumer mobile banking usage increased by almost 50 percent within the past year. According to Statista, in 2018 the transactional value of the fintech market in the United States is more than $1 million dollars.
Mobile banking is undeniably convenient, but are the apps that handle our money 100% secure?
The unfortunate reality is that almost all apps are susceptible to hacking attacks and when damages occur in the financial services industry, the results can severely affect not only the targeted institution, but unlucky consumers as well.
To understand the current security state of fintech apps, researchers at SEWORKS downloaded and analyzed the top 20 free Android finance apps on Google Play in popular categories such as mobile banking, payments, investments, budgeting, trading, credit and expense tracking and other financial categories.
What we discovered, unfortunately, was not unexpected.
Analyzing top Android mobile banking apps
SEWORKS researchers employed both dynamic and static testing methods to conduct more detailed analysis on app vulnerabilities even when they run.
All of the finance apps had properly secured native libraries and data encryption, which is a positive sign that companies care about adding security measures and protecting the data and users.
However, our analysis uncovered five critical and medium vulnerabilities in the free Android finance apps on Google Play:
- 100%: File input/output or I/O. Level – critical. Data transfer to or from the application file system can serve as an entry attack point, such as when financial statements or tax forms are downloaded or budgets updated. Malicious code injected into the app can allow malicious attackers access to resources such as users’ account numbers, passwords or routing numbers. Hacking attacks via file I/O can be executed internally and/or by using network behaviors to activate a backdoor with a connected network.
- 100%: Network behaviors. Level – medium.Hackers can potentially exploit vulnerabilities within the server-client communication, such as when users access account balances, transfer funds, or perform other activities. For example, a man-in-the-middle (MITM) attack, where the attacker secretly relays and possibly alters the communication, can occur if an app’s authentication protocols and certification pinning is incorrect.
- 100%: Code tampering. Level – medium.Listed as one of the Open Web Application Security Project (OWASP)Mobile Security Project’s Top 10 Risks, it is considered one of the most common app vulnerabilities and one of the easiest to manipulate. By changing or replacing code, an application can be exploited for various types of attacks, such as inserting malware or phishing.
- 30%: Secure Sockets Layer (SSL).Level – critical. Vulnerabilities related to a broken or a link between a server and client that is not properly established and encrypted could leave sensitive financial data vulnerable.
- 5%: DEX file exposure. Level – critical. A relatively small numberof the apps had vulnerabilities related to the Dalvik Executable file (.DEX) containing the app’s Java bytecode. Code decompiled to expose the original source code could lead to malicious hacking attacks, such as piracy and malware injection.
The result of our analysis of mobile banking apps is similar to what we’ve uncovered in the m-commerce and fitness markets – all apps are subject to hacking attacks.
All of the finance apps we studied had at least one critical vulnerability, as well as medium and low security risks. We recommend adding security starting from the app development phase and testing often to ensure the app security status is up to date. It is also important to encourage the infosec team to maintain security protocols. Certainly, apps that handle our finances must have a comprehensive level of security.
About the author: Min-Pyo Hong has advised corporations, NGOs, and governments on digital security issues for over 20 years, and led a team of five-time finalists at Defcon. Hong is currently founder and CEO of Seworks, a San Francisco-based developer of advanced security solutions for the mobile era.