Security flaws in banking apps expose data and source code

A researcher examined 30 financial apps for Android and found issues, including exposed source code and leaks of sensitive data.

The benefits of having three layers of security Dr. Ronald Ross, computer scientist and fellow at the National Institute of Standards and Technology, tells Tonya Hall about the importance of testing security and layering cyber defense.

Security vulnerabilities in the mobile applications of 30 financial services providers are putting the institutions and their customers at risk.

Exposed source code, sensitive data, access to backend services via APIs and more have been uncovered after a researcher downloaded various financial apps from the Google Play store and found that it took, on average, just eight and a half minutes before they were reading the code.

Vulnerabilities including lack of binary protections, insecure data storage, unintended data leakage, weak encryption and more were found in banking, credit card and mobile payments apps and are detailed a report by cybersecurity company Arxan: In Plain Sight: The Vulnerability Epidemic in Financial Mobile Apps.

"There's clearly a systemic issue here – it's not just one company, it's 30 companies and it's across multiple financial services verticals," Alissa Knight, cybersecurity analyst at global research and advisory firm Aite Group and the researcher behind the study, told ZDNet.

The vast majority – 97 percent of the apps tested – were found to lack binary code protections, making it possible to reverse engineer or decompile the apps exposing source code to analysis and tampering. And 90 percent of the apps tested experienced unintended data leakage, exposing data from the financial app to other applications on the device, while 80 percent of the apps tested were found to have implemented weak encryption, potentially allowing attackers to decrypt sensitive data.

But one weakness found in 83 percent of the apps tested, could potentially provide a gift to cyber attackers: these apps were found to store data insecurely, sometimes in the device's local file system and Knight found it was possible to extract what should be hidden API keys.

"API keys are basically that private password you don't want to get out. What was a systemic finding across multiple financial services mobile apps was that these private API keys were being found in the code," she said.

"It's almost as if the developers who wrote the code didn't realise that it's possible to actually browse the directory structure of this mobile app and pull these files out, pull the keys out of subdirectories".

If an attacker can get hold of these "crown jewels", it'd be possible for them to re-purpose the APIs for malicious intent.

"If I have access to the source code of the app, I can then modify the URLs and change how that app behaves and where it sends data to," Knight said.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

The company hasn't identified any of the apps so as not to add additional risk but said these attacks are not theoretical.

"We saw a lot of this happening in Eastern Europe last year, with this repackaging and distribution of apps. They were going to a legitimate bank, but also exfiltrating all the data at the same time," Rusty Carter, VP of product management at Arxan, told ZDNet.

"Clearly there's a problem here. You need to know that adversaries are beginning to target this area. This is the new frontier, this is a new area of focus for adversaries and this report is meant to get financial services companies to see how big of a problem they've got here and how they can address it," she said.

READ MORE ON CYBER CRIME