Analysis Suggests Half of Mobile Banking Apps Aren’t Secure
Security flaws found in mobile banking apps.
New research has been carried out by Pradeo Lab that suggests half of mobile banking apps aren’t secure. In their tests, they found that on average there were seven security flaws in each app they tested.
Pradeo Lab made notes that these security flaws could potentially put up to half a billion people at risk because their banking apps aren’t secure enough.
Clément Saad, founder of Pradeo, mentioned that he was not only worried about the number of apps that had security flaws but also by the number of methods that successfully worked to breach these apps’ security methods.
Saad said, “We did not settle for a demonstration of the vulnerability of each application in front of a simple keylogger, but their weaknesses facing more than twenty threats. Not a single banking app successfully passed our exam, and on average, and each app was susceptible to seven breaches.”
In the research, they made note that criminals will often attack banking apps with different goals in mind. Sometimes the criminals are looking to steal passwords, sometimes they’re spying on account data, whilst in other cases, they may be attempting to take money from the accounts.
Pradeo Lab limited their initial tests to 50 banks, but they made it clear that chances are that “Apps from other banking establishments are also at risk and that consequently, the number of impacted users is potentially very significant. While there have not yet been any major security issues with banking apps, banks need to address these issues.”
The majority of security flaws were actually due to the operating system, as opposed to the app itself – “Most popular phone operating systems are not as secure as server operating systems and they’re usually full of useless bloatware that increases the attack surface.”
With the mobile space being open to threats such as data theft, SMS tracking, and keylogging, there’s a major underlying risk for those that use mobile banking in its current state.
“Applying formal controls and strong SDLC practices would help. Regulators such as the MAS has some interesting things to say about doing it properly. For instance, they mandate that the banks certify specific phones as platforms for their applications. These are all measures that we are learning to apply in the data center.”
In almost all cases, it’s still the bank’s responsibility to provide additional security for their customers whilst using mobile banking apps. With customers relying on their bank providing them with the security they need to keep their account safe, quickly releasing mobile banking apps with potential security flaws to beat competitors to the smartphone race is just not worth it.
Pradeo Lab didn’t make it clear what types of security flaws existed in the mobile banking apps that they tested. They also didn’t emphasize on the severity of such flaws, but it’s likely that these flaws only presented a minor security risk. It’s likely that Pradeo Lab passed on their research to the banks that owned the apps they tested.
We may hear more in the future about this, but for now, it’s very important to be very careful whilst using banking apps. If you’re unsure about the potential security flaws your current banking app offers, it may be worth sacrificing a little bit of convenience to use more secure online banking from a desktop instead of from your mobile.