The majority of finance apps used on smartphones across the world have critical vulnerabilities that could be exposed by hackers, according to a new report from the digital rights management organization Intertrust.
As more and more people have used mobile platforms to do their banking or control their finances, cyber criminals too are focusing increased efforts on these apps. However, Intertrust’s 2021 State of Mobile Finance App Security Report shows that banks and financial companies aren’t always protecting their mobile customers
Eighty-one percent of financial apps are actively leaking data, the report notes. In addition, an estimated 77 percent of these apps have at least one critical vulnerability that hackers could expose.
“As mobile finance apps increasingly enter people’s everyday lives, it’s vital to understand the security risks associated with these apps and the ways to help mitigate them,” said David Maher, Chief Technology Officer and Executive Vice President at Intertrust.
The popularity of mobile banking rose during COVID-19 lockdowns, and so have phishing attacks against finance apps. A separate report noted that those phishing attempts jumped by 125 percent in 2020.
Malware was named the most common threat to these financial institutions by the Intertrust report. Last year, there were more than 156,000 new trojan viruses found on mobile banking apps, doubling the amount detected in 2019.
These malware attacks have used the pandemic to their advantage, sometimes even masking themselves as COVID-19 contact tracing apps. Then when they are downloaded to a phone, they have access to a smartphone user’s personal banking information like PIN and account numbers.
Other hacking methods target cryptocurrency accounts by setting up fake apps on the popular app stores. In one incident, hackers set up a supposed cryptocurrency converter on Google Play, the default Android app store. That app then installed the Cerberus trojan malware when downloaded, which is able to steal banking info, secretly survey phones and intercept communication. Experts say there are hundreds of these phony cryptocurrency apps that have recently popped up to steal financial info.
Intertrust’s report did a detailed comparison of Android vs. Apple security when it comes to mobile apps. It found that 70 percent of finance apps on Apple’s iOS have at least one critical vulnerability. That is compared to at least 84 percent of such apps that also were critically vulnerable in at least one area on Android devices.
Insecure data storage, insufficient cryptography and insecure communication were among the most common security flaws across both operating systems.
Mobile app security also varies widely depending on the region its users are in. Intertrust reports that the United Kingdom performed the best of any region when it comes to the cybersecurity of its banking apps. Just 7 percent of UK financial apps had more than 10 vulnerabilities, compared to 38 percent of such apps in India and Southeast Asia, and 19 percent of U.S. finance apps.
“Poor financial app security puts both financial organizations and their customers at risk, especially given the rise in cyberattacks over the course of the pandemic,” Maher said. “This report shines a light on the ongoing threats and helps finance app vendors understand the importance of building in security mechanisms from day one.”
Nearly half of all payment apps tested are vulnerable to encryption key extraction, meaning that these apps can be hacked by cybercriminals, potentially exposing private data and confidential payment information.
The report also details the types of finance apps that are most vulnerable to cyberattacks. Banking apps generally have the most flaws in their security frameworks, according to Intertrust, which found more vulnerabilities in banks’ platforms than on apps for payments, investments or lending. Thirty-five percent of banking apps had more than 10 vulnerabilities and 81 percent had at least one critical security flaw. The most secure of these platforms were lending apps, largely because they are more limited in scope than traditional banking apps.
Intertrust’s report set out specific recommendations for developers of financial services mobile software. These recommendations include not storing sensitive data in insecure locations where it remains vulnerable to cybercrime. Instead, information should be protected using secure encryption tech or using strong data obfuscation technologies.
You can see the full Intertrust 2021 State of Mobile Finance App Security Report here.
Disclosure: This article mentions a client of an Espacio portfolio company.