Your Banking App May Be Putting Your Money At Risk

With several recent high profile data breaches making big headlines more and more consumers are questioning the security of not only the retailers they use but the websites they shop and apps the use on their mobile device. We often fall victim to a false sense of security believing that official apps are more secure than they really are. Security is undoubtedly very important in every app, of course, but if there is one group of mobile apps that we tend to believe should be secure more secure than any others we use it would probably mobile banking apps. 

Earlier this month security researcher Ariel Sanchez of IOActive published a rather shocking report that indicates that 90% of mobile banking apps from top banks around the world may have serious security vulnerabilities that could potentially compromise sensitive user data. Ariel Sanchez took a close hard look at mobile banking apps for the iPhone and iPad from 40 of the 60 top banks in the world and discovered serious security flaws in almost all of them. Here is a small sampling of his discoveries:

• “A few apps (less than 20%) did not have Position Independent Executable (PIE) and Stack Smashing Protection enabled. This could help to mitigate the risk of memory corruption attacks.”
• “40% of the audited apps did not validate the authenticity of SSL certificates presented. This makes them susceptible to Man in The Middle (MiTM) attacks.”
• “50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality was exposed, allowing actions such as sending SMS or emails from the victim’s device.”
• “90% [of the apps] contained several non-SSL links throughout the application. This allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”

This incredibly troubling study should open the eyes of the consumer as it lifts the veil on that false sense of security that we all have. The research brings to light a few very serious problems for the banking industry — and for consumers that utilize these apps — that will only become more severe over time as mobile banking app usage grows. Sanchez notes in his report that the various security vulnerabilities he identified could allow malicious hackers to intercept sensitive data, install malware or even seize control of a victim’s device handing over full account access and control.

“Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms,” Sanchez stated in his conclusion. “As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions.”