Financial Apps Are Vulnerable

Uploaded on 2019-04-08 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms, BUSINESS-Services-Financial

Despite the growing cybersecurity threat targeting mobile financial services applications, many financial institutions are failing when it comes to protecting their apps. 
 
Research conducted by advisory firm Aite Group uncovered widespread security deficiencies among mobile consumer finance apps leading to the exposure of source code, personally identifiable information, account credentials and access to backend systems. 
 
Aite Group examined the protective capabilities of 30 different financial services applications found on the Google Play store. Using commonly available software tools, nearly all of the apps were easily reverse engineered, revealing a systemic lack of application-appropriate protection and coding best practices. 
 
Among the key vulnerabilities the research uncovered:
 
Lack of Binary Protections — 97% of all apps tested lacked binary code protection, making it possible to reverse engineer or decompile the apps exposing source code to analysis and tampering.
 
Unintended Data Leakage — 90% of the apps tested shared services with other applications on the device, leaving data from the financial institution’s application’s app accessible to any other application on the device.
 
Insecure Data Storage — 83% of the apps tested insecurely stored data outside of the application's control, for example, in a device’s local file system, external storage, and copied data to the clipboard allowing shared access with other apps; and exposed a new attack surface via APIs.
 
Weak Encryption — 80% of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed.
 
Insecure Random-Number Generation — 70% of the apps use an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable
 
Arxan
 
You Might Also Read:
 
Security Flaw Puts UK Bank Customers At Risk:
 
 
« The Brexit Shaped Gap In UK Cyber Security
Cyber Knowledge The Easy Way »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Seclore

Seclore

Seclore is the most advanced, secure, and automated Enterprise Digital Rights Management (EDRM) solution available.

Cryptus Cyber Security

Cryptus Cyber Security

Cryptus Cyber Security is an Information Security Training company providing advanced training and services to IT Professionals.

BTWorks

BTWorks

BTWorks provides identity management and anti-phishing / smishing solutions for web and mobile apps.

Hivint

Hivint

Hivint is a new kind of Information Security professional services company enabling collaboration between our clients to reduce unnecessary security spend.

Pixalate

Pixalate

Pixalate is an omni-channel fraud intelligence company that works with brands and platforms to prevent invalid traffic and improve ad inventory quality.

OneTrust

OneTrust

OneTrust is the largest and most widely used technology platform to operationalize privacy, security and third-party risk management.

TechStak

TechStak

TechStak is the easiest way for businesses to find and connect with IT Pros and other technology solution providers in their area.

European Healthcare Fraud & Corruption Network (EHFCN)

European Healthcare Fraud & Corruption Network (EHFCN)

EHFCN is the only organisation dedicated to combating fraud, corruption and waste in the healthcare sector across Europe.

AirEye

AirEye

AirEye is a leader in Network Airspace Protection (NAP). Block attacks against your corporate network launched from wireless devices in your corporate network airspace.

Wickr

Wickr

Wickr's mission is to secure the world's most critical communications. Wickr provides the highest standard of encryption trusted by millions worldwide.

FCI

FCI

FCI is a NIST-Based Managed Security Service Provider (MSSP) offering Cybersecurity Compliance Enablement Technologies & Services to Financial Services organizations.

Sure Valley Ventures

Sure Valley Ventures

Sure Valley Ventures is an entrepreneur led venture capital fund focused on helping software entrepreneurs grow and scale businesses that will have a global impact.

Alethea

Alethea

Alethea is a technology company helping companies, nonprofits, and democracies protect themselves from harms stemming from disinformation and social media manipulation.

Digital Security Authority (DSA)

Digital Security Authority (DSA)

The establishment of the Digital Security Authority, which incorporates the National CSIRT, is crucial to significantly raising the cybersecurity posture and capabilities of Cyprus.

Intellinexus

Intellinexus

Intellinexus turns data into actionable insights to revolutionise decision-making in your business.

Redblock

Redblock

Redblock's mission is to eliminate the drudgery and repetitive 'eye on the glass' work done by Security Teams.