A growing number of consumers now check bank balances, buy stocks and trade cryptocurrency through mobile applications. In the second quarter of 2021 one major bank reported almost 57 million “digitally active customers,” an increase of 10% year-over-year, with nearly 43 million customers using its mobile app.
Naturally, consumers expect the mobile applications that handle their money or manage their wealth to be the most secure and private of all. Unfortunately they are not. In fact, in a recent review of the top finance-related mobile applications, researchers at NowSecure found an overwhelming majority of applications still contain security flaws that leak sensitive data and expose users to malicious activity.
An August 2021 analysis of the top 400 mobile finance-related apps showed that 70% of the apps we use to manage money or wealth fail basic privacy and security standards. Critical flaws in some of the world’s most popular mobile finance apps put millions of users at risk, exposing their bank accounts, credit ratings and personal information to hackers and underground data sellers.
Unfortunately the issues reside deep in the code itself, whether created intentionally by malicious actors sharing compromised libraries that developers reuse or accidentally through developer coding errors, creating a challenge for users and the app stores. Outdated or infected software libraries, misconfigured network connections, and improper file permissions within the mobile app code make it easier for hackers to collect massive amounts of data or seize control of an app and even the device itself.
Lack of sufficient security testing and governance enable these security and privacy issues to escape into the wild. Many of the mobile applications we reviewed failed to meet even minimum industry standards for security and privacy established by the Open Web Application Security Project (OWASP) Mobile Project.
Methodology
Our review includes mobile apps available on the Apple® App Store® and Google Play™ store as of August 30, 2021. Because developers often release new code sometimes daily or weekly, these values may change quickly; however one week after initial review, assessments did not change. Our review includes mobile apps for banking, stock trading, portfolio management, insurance, credit agencies and cryptocurrency.
We scored mobile apps on a scale of 0-100 and assigned a pass or fail letter grade from A (100-90), B (89-80), C (79-70), D (69-60) or F (59 or less). Mobile apps that scored 80-100 (A-B) represent high-quality, low-risk apps and are considered the most secure. The mobile apps that scored C (79-70) ) have medium risks and should be used with caution and monitored for strange activity or scores changing with updates. Mobile apps in the C range may leak sensitive information or have excessive permissions that are unnecessary, such as a budgeting app that gains permissions to access a contact address book, GPS data or a camera.
Any application that scored a D or F (59 or less) represents a high risk and should not be used until security bugs are fixed by their developers. Failing apps have known software vulnerabilities that developers of these mobile apps should be aware of and address immediately, such as leaking unencrypted user ID or password or account info over the network or being open to man-in-the-middle attacks or data scraping.
Mobile finance apps are the keys to the kingdom
A variety of mobile apps now manage our financial lives. Beyond the explosive adoption of mobile banking apps, consumers increasingly use mobile apps for stock trading, credit monitoring or new finance technologies such as micro-loans and cryptocurrency. These mobile apps now hold the keys to our personal kingdoms–our paychecks, our retirement savings or investments–and all the personal and professional information those networks require.
Unfortunately a majority of the mobile finance applications we use every day to make purchases, manage savings or trade cryptocurrencies have fundamental vulnerabilities in their software code.
On the bright side, of the finance-related apps we assessed, 137 (30%) passed with a C or better, with 23 (6%) apps scored an A or B and 114 (29%) passed with a C. Issues in these C or better grades may include medium-risk vulnerabilities that can be addressed over time, but still pose security risks.
Unfortunately, most finance-related apps we assessed failed to fully protect user security and privacy. A remarkable 263 (70%) scored a D or an F in security and privacy, meaning they contained at least two high-risk vulnerabilities that leak sensitive data or leave users vulnerable to network attacks. Of the 236 apps that outright failed, 15% contained a critical bug in an outdated third-party library, as well as at least one other critical flaw that allows attackers to collect or modify data through insecure Internet connections.
A number of these high-risk apps on Android inadvertently create a dangerous man-in-the-middle backdoor, giving hackers an easier way to steal data from millions of mobile users or be used as a phishing vector.
Mobile banking apps
In its recent Mobile Finance Report, mobile analytics company App Annie revealed that mobile users installed 4.6 billion finance apps globally in 2020. Users spent 16.3 billion hours in those applications, a 15% increase year over year. And last year 86.5% of Americans used a mobile device to check their bank balance. Of U.S. consumers who used a smartphone to deposit checks in 2020, 42% of them did it for the first time driven primarily by the pandemic.
In a review of one subset of the data, we found a majority of mobile banking apps put consumers’ security and privacy at risk. Of those we assessed, 33 of the most popular mobile banking apps achieved low passing grades with an average risk score of C (66). Unfortunately 11 applications failed outright (60 or below) and contained at least two high-risk vulnerabilities that could be devastating to users of a financially-regulated business and the business itself.
Consumers expect PCI DSS regulations to protect their data as it is exchanged between parties, but that doesn’t protect them from these kinds of vulnerabilities. In some cases, flaws within mobile app code provides hackers access to the data of millions of users independent of PCI DSS regulated functions. Consumers must demand that these apps, perhaps above all others, be as secure as possible. In fact, finance-related mobile app development should be on the cutting edge of security and privacy.
Rise of mobile cryptocurrency apps
Downloads of cryptocurrency-related mobile apps grew dramatically in 2020, with one cryptocurrency wallet developer reaching over 70 million users and popular exchange Coinbase offering its mobile app to over 62 million token holders. There are many more cryptocurrency-related apps than there are mobile banking or stock trading apps due to their very nature. Driving a new wave in Fintech, these mobile apps are the fastest growing subset in the finance category.
In a review of 250 popular cryptocurrency-related applications including wallets, exchanges, portfolio trackers and news apps, 71% (191) FAILED with a score of 59 or below. Only 16 apps (6%) scored as low risk, high quality A or B. Vulnerabilities included a known dangerous third-party library, insecure network configurations and leaked data through excessive permissions.
What’s clear is that most of the mobile applications that crypto holders and traders trust appear to have serious security and privacy flaws. These issues allow hackers to intercept transactions or collect data on users, eroding the trust cryptocurrencies aim to achieve. The lowest F was a 6 out of 100
“Cryptocurrency mobile apps are an example of a mobile app segment that grew explosively fast,” said David Weinstein, NowSecure CTO. “There has been a race to release new features to gain as many users as possible and innovation blew past security team capabilities and testing cycles. That puts both users and app developers at risk,”
Meeting the challenge
While these test results may seem alarming, they are not new. Mobile application security testing has shown for several years that our race for speed and convenience have neglected security and privacy. Despite massive breaches and evidence of data collection through mobile apps, organizations often fail to assign their best resources to mobile development or assume their developers have mobile security training. Low scores can this be attributed to insufficient mobile app developer security training, lack of deep mobile-specific security analyst skills, and lack of sufficient mobile security testing,
Due to the high-risk nature of financial transactions and the complex connections that make mobile banking or trading possible, leadership in mobile app businesses, and their development teams, must become champions of security and privacy.
Organizations must first understand the security and privacy differences between both web and mobile development and web and mobile security testing. They must assign the same or greater resources to their mobile app effort than they have traditionally assigned to web development.
In addition, mobile finance apps that are released quarterly must undergo full-scope penetration testing for each major release. This also aligns with a PCI DSS requirement of independent review by a third party in order to maintain regulatory compliance, but extends it to assessing a wider set of security and privacy risks. Larger or more mature DevSecOps teams that release code weekly or daily must integrate automated security testing into their software development lifecycle.
Any organization whose business model depends on a mobile app should review their individual risk scores and security posture, with a free report available here. Mobile application developers and security teams should study the OWASP Mobile Top 10 to address the most common security threats. Consumers should demand clear privacy statements from app makers and businesses should ensure their apps properly safeguard sensitive data.
NowSecure offers resources to help organizations assess their mobile app security and privacy risks. Visit the NowSecure Mobile Risk Tracker for a deeper view of risks in finance and banking apps and see how they compare to other industries including healthcare, travel and retail. If your team is responsible for development or security, visit NowSecure Academy for free mobile app sec training to help speed the delivery of secure mobile apps.