Many Mobile Banking Apps Have Exploitable ‘Coding Errors’

Popular Apps Too Susceptible to Hacking, Positive Technologies Warns.

Given the number of banks that utilize white-labeled banking apps to provide online banking services to their clients, a recent report is extremely concerning. Researchers at Positive Technologies recently investigated 14 mobile banking apps that run on Android or iOS and found that 13 failed to prevent unauthorized access to user data. Although the specific apps were not identified, each one had been downloaded from app stores more than 500,000 times.

The analysis shows that none of the 14 apps studied were truly secure. Several of the applications contained security flaws and could be exploited without physical access to the smartphone or mobile device used. These vulnerabilities can lead to brute-force attacks, man-in-the-middle schemes, and the distribution of malware, such as banking Trojans. Android apps proved to be more vulnerable than iOS apps, but in both cases, there are vulnerabilities that are the result of coding errors.

Such attacks could provide access to sensitive information, such as personal banking data and payment card details. Attackers could also gain unauthorized access to the application to commit fraud and steal funds, the report asserts.

Banking Apps Targeted

Threats to online banking have increased recently as the switch to mobile banking has accelerated.

In June, the FBI issued a warning about criminals targeting mobile banking apps with malware to steal credentials and conduct account takeover attacks. Mobile phishing attacks have also recently surged.

Client-Side Vulnerabilities

The researchers found that 3% of apps running on Android devices contained vulnerabilities that posed “high” client-side attack risk, 40% posed “medium” threats, and 57% contained “low” risks. iOS app results were 37% posed “medium” risks, and 63% had a low risk of potential client-side attacks.

Server-Side Vulnerabilities

The study points out that more than half of the banking apps contained high-risk, server-side vulnerabilities related to insufficient authentication, unauthorized access to applications, and business logic errors. In most of these apps, the prevalent issue was that brute-force vulnerabilities caused the one-time password mechanism. Unauthorized access to applications usually results from authentication and authorization flaws.

While this is not great news for anyone relying on a mobile banking app or site, it’s to be expected as both technology and criminals evolve. It’s important to acknowledge the risks posed and to ensure that your bank is protected. Who is responsible if there is a problem with your bank’s mobile app or site?

If you have questions about IT security, call ITPAC today.