Tools including retail banking apps fail to take appropriate precautions to stop their software and systems from being hacked, researchers discover
A new study has found insecure coding practices in wide use in mobile financial applications, including retail banking apps, indicating what researchers said was a “systemic” issue.
The report, carried out by advisory firm Aite Group on behalf of application security firm Arxan Technologies, was intended to raise a warning flag over mobile financial apps as they become a new focus for hackers, Arxan said.
The firm pointed out that one widespread issue, the insecure storage of data, has already been widely exploited to access apps’ secret API keys, which are then used to repurpose the app so that it sends customers’ data to the hackers’ servers.
Such hacked and repackaged banking apps have already been actively distributed by gangs, for instance in Russia, where hackers used them to steal 50 million roubles (£584,000) from domestic banking customers in 2017.
Some 83 percent of the apps analysed were found to store data insecurely, for instance in the device’s file system, Arxan said.
The most widespread issue was a lack of binary protection, with 97 percent of the apps analysed failing to include measures to stop hackers from reverse-engineering the software.
Reverse-engineering exposes the source code, making it easier to track down other flaws.
Some 90 percent of apps unintentionally leaked data to other apps, while 80 percent used weak encryption and 70 percent used weak random-number generation.
The study didn’t identify the apps analysed.
Aite Group senior analyst Alissa Knight, who authored the report, said it took her on average 8.5 minutes to crack into an application and read its source code and other sensitive underlying data.
“With (financial institutions) holding such sensitive financial and personal data — and operating in such stringent regulatory environments — it is shocking to see just how many of their applications lack basic secure coding practices and app security protections,” she said.
The risks exposed by insecure apps include account takeovers, credit application fraud, identity fraud and identity theft, Knight said.
“It’s clear from the findings that the industry needs to address the vulnerability epidemic throughout its mobile apps and employ a defense-in-depth approach to securing mobile applications — starting with app protection, threat detection and encryption capabilities implemented at the code level,” she said.
She said she was “shocked” to find SQL queries exposing information on backend databases hard-coded into apps, and private keys being stored unencrypted in sub-directories.
The report analysed the mobile apps of 30 financial organisations from the Google Play store across eight sectors: retail banking, credit card, mobile payment, cryptocurrency, HSA, retail brokerage, health insurance and auto insurance.
Surprisingly, the apps from the smallest firms showed the most secure coding practices, while those from the largest companies were the most vulnerable.
The retail banking, retail brokerage and auto insurance apps were found to be at risk for all the issues discovered, while the fewest vulnerabilities were found in Health Savings Account apps.
“Unfortunately, the lack or app protection is systemic across these and most organisations using mobile apps to drive business — which in today’s environment is everyone,” said Arxan chief scientist Aaron Lint.
Financial firms targeted
Hackers haven’t limited their focus to mobile financial apps, however, with banks facing increasingly sophisticated threats that often physically target their internal networks.
In 2016 attacks on European banks by the ‘Cobalt’ cyber-crime gang caused teller machines to spew cash, while in 2017 an organised heist involving “money mules” and hackers gaining access to banks’ internal systems made off with an estimated $100 million (£77m).
Last year hackers physically infiltrated at least eight Eastern European banks, posing as job-seekers, couriers or inspectors, attached malicious devices, including netbooks and Rasberry Pis, to the banks’ networks and left them there to be remotely operated via cellular data networks.
The “DarkVishnya” attacks, detailed in December of last year by security firm Kaspersky, caused damage estimated in the tens of millions of dollars.