Security is important in every app, of course, but if there is one group of mobile apps that users want to be secure even more so than any others, it’s probably mobile banking apps. It will undoubtedly come as a shock, however, that a new study has found 90% of mobile banking apps from top banks have serious security vulnerabilities that could potentially compromise sensitive user data.
Security researcher Ariel Sanchez of IOActive recently published his findings after diving into home banking iPhone and iPad apps from 40 of the 60 top banks in the world. Here is a small sampling of his discoveries:
- “A few apps (less than 20%) did not have Position Independent Executable (PIE) and Stack Smashing Protection enabled. This could help to mitigate the risk of memory corruption attacks.”
- “40% of the audited apps did not validate the authenticity of SSL certificates presented. This makes them susceptible to Man in The Middle (MiTM) attacks.”
- “50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality was exposed, allowing actions such as sending SMS or emails from the victim’s device.”
- “90% [of the apps] contained several non-SSL links throughout the application. This allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”
The incredibly troubling study brings to light a very serious problem for the banking industry — and for consumers, of course — that will only become more severe over time as mobile banking app usage grows. Sanchez notes in his report that the various security vulnerabilities he identified could allow malicious hackers to intercept sensitive data, install malware or even seize control of a victim’s device.
“Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms,” Sanchez stated in his conclusion. “As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions.”