Click to Skip Ad
Closing in...

Major security holes found in 90% of top mobile banking apps

Updated 9 years ago
Published Jan 14th, 2014 11:40AM EST
Mobile Banking Apps Security

Security is important in every app, of course, but if there is one group of mobile apps that users want to be secure even more so than any others, it’s probably mobile banking apps. It will undoubtedly come as a shock, however, that a new study has found 90% of mobile banking apps from top banks have serious security vulnerabilities that could potentially compromise sensitive user data.

Security researcher Ariel Sanchez of IOActive recently published his findings after diving into home banking iPhone and iPad apps from 40 of the 60 top banks in the world. Here is a small sampling of his discoveries:

  • “A few apps (less than 20%) did not have Position Independent Executable (PIE) and Stack Smashing Protection enabled. This could help to mitigate the risk of memory corruption attacks.”
  • “40% of the audited apps did not validate the authenticity of SSL certificates presented. This makes them susceptible to Man in The Middle (MiTM) attacks.”
  • “50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality was exposed, allowing actions such as sending SMS or emails from the victim’s device.”
  • “90% [of the apps] contained several non-SSL links throughout the application. This allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”

The incredibly troubling study brings to light a very serious problem for the banking industry — and for consumers, of course — that will only become more severe over time as mobile banking app usage grows. Sanchez notes in his report that the various security vulnerabilities he identified could allow malicious hackers to intercept sensitive data, install malware or even seize control of a victim’s device.

“Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms,” Sanchez stated in his conclusion. “As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions.”

Zach Epstein
Zach Epstein Executive Editor

Zach Epstein has been the Executive Editor at BGR for more than 10 years. He manages BGR’s editorial team and ensures that best practices are adhered to. He also oversees the Ecommerce team and directs the daily flow of all content.

Zach first joined BGR in 2007 as a Staff Writer covering business, technology, and entertainment. His work has been quoted by countless top news organizations, and he was recently named one of the world's top 10 “power mobile influencers” by Forbes. Prior to BGR, Zach worked as an executive in marketing and business development with two private telcos.