Financial Services Mobile Apps Are Riddled with Security Flaws
In study of "vulnerability epidemic," Aite Group analyst is able to crack codes in minutes
Friday, April 26, 2019
By Katherine Heires
Cybersecurity risks are hardly uncommon, but there is an abundance in the world of mobile apps - and especially those provided by retail banks, brokerages and auto insurers and readily downloadable from the Google Play store.
That's a finding from “In Plain Sight: The Vulnerability Epidemic in Financial Mobile Apps,” a report by research firm Aite Group for Arxan Technologies, a San Francisco-based app security company.
Activity is analyzed in eight financial services areas - retail banking, credit card, mobile payment, cryptocurrency, health savings accounts, retail brokerage, health insurance, and auto insurance - encompassing U.S.- and Europe-based firms. Those in the U.S. accounted for 85% of the mobile app vulnerabilities revealed in the study, European institutions the remaining 15%.
Of the eight industry categories, retail banking apps had the greatest number of critical vulnerabilities. Institutions in retail banking, retail brokerage and auto insurance were the top holders of apps revealed to have critical vulnerabilities that could endanger their customer base as well as their own technology networks.
Firms with the fewest critical vulnerabilities were credit card issuers, health savings account banks and health insurers utilizing mobile payment apps.
The study is authored by Aite Group senior cybersecurity analyst Alissa Knight, a white hat hacker who has conducted more than 100 penetration tests to date, most recently working for German auto manufacturers seeking to assess the security levels of their driving systems.
Knight characterizes the results of her analysis of 30 financial institutions' mobile apps as “devastating. I did not know that so many of these banks and financial service companies were storing their API [application programming interface] keys and secrets in their app codes,” allowing hackers to exploit this information and take control of a device.
“Using tools readily available on the Internet, Knight found nearly all of the applications could easily be reverse engineered, allowing access to sensitive information stored inside the source code,” said Arxan's April 2 press release.
Knight discovered that two of her own financial service providers were lax in their app security efforts, and she uninstalled those apps.
Knight's examination took place over a six-week period in January and February. The financial institutions ranged from small to middle-market to more than $10 billion in market capitalization, all with offerings in the Google Play store.
Access to Keys
The analyst tested for the ability to decompile the mobile applications.
“When an app is capable of being decompiled,” she explained in the report, “it allows adversaries to access sensitive information inside the source code - such as [API] keys, API secrets, private certificates, and URLs that the app communicates with and which would allow an adversary to then target the APIs of the back-end servers.”
Security experts have warned that apps for Android devices - like those in the Aite analysis - are more exposed, due to the open-source nature of the Android system, By contrast, Apple iOS technology is built on a closed system, with the source code not publicly released.
Gaining access to API keys is akin to entering the gate outside a house, says Knight, making it easier for hackers to insert malware or gain control of the system. Cyber attacks in 2018 on Marriott, T-Mobile and Panera Bread were API breaches.
Equally concerning is Knight's revelation that it took her “8.5 minutes on average to crack into an application and begin to freely read the underlying code, identify APIs, read file names, access sensitive data and more.”
Another finding: The largest‐capitalization companies had the most vulnerable code; smaller ones' apps had lesser numbers of vulnerabilities.
When asked if outsourcing of app development might have been a cause of lax security, Knight said, “I would have thought that the large financial companies would have outsourced their app development, but my finding was that the larger companies are definitely doing development internally.” Smaller start-ups and sub-100-employee companies that tended to outsource ironically had the better security, she said.
Knight's research highlighted 11 types of vulnerabilities: lack of binary protections; insecure data storage, unintended data leakage; client‐side injection; weak encryption; implicit trust of all certificates; execution of activities using root; world readable/writable files and directories; private key exposure; exposure of database parameters and SQL queries; and insecure random number generation.
Ninety‐seven percent of the tested apps suffered from a lack of binary protection, making it possible to decompile the app and review the source code.
“Binary protection makes sure that the app is properly protected against tampering,” and the best way to counter that, says Knight, is to employ mobile app shielding, a security provision that obfuscates the code so that it is not readable. That is a solution provided by firms such as Arxan, the report sponsor.
Eighty percent of the apps implemented weak encryption algorithms or executed an incorrect implementation of a strong cipher, the report says. This enables adversaries to decrypt, and then manipulate or steal, sensitive data.
Knight also notes that in many instances, when encryption was implemented, developers “left the private keys lying around. This is kind of like locking the door but leaving the keys laying there to be extracted,” a dangerous oversight by financial firms.
In summary, Knight found that the large number of vulnerabilities in financial mobile apps can result in threats ranging from account takeovers, credit application fraud, synthetic identity fraud, identity theft, access to sensitive financial data, and the disabling of services.
What's the solution? Knight says the answer is a “defense‐in‐depth approach,” or “security that is layered like an onion and can do multiple things” - mobile application shielding, code hardening, threat detection and encryption capabilities.
Her advice to risk managers working with security teams is to ensure that coders receive proper security training for safe mobile app development; ensure that no mobile app is sent to the app store before it has been secured with application shielding; and consider conducting penetration testing of any security products app shield, threat detection and encryption.
Says Knight: “It is important that we not just watch the bad guys, but also watch the watchers,” and that includes the security technology providers.
Katherine Heires is a freelance business journalist and founder of MediaKat llc.