Bank applications ‘ security flaws expose data and source code
A scientist examined 30 Android financial applications and detected issues such as exposed source code and sensitive data leaks.
In 30 providers of financial services, security vulnerabilities in mobile applications put institutions and their customers in danger. After a researcher downloads various Android financial applications from the Google Play store and finds it takes an average 8.5 minutes before reading the code, the source code, sensitive data, backend access through APIs, etc.
In the banking, credit card and mobile payment applications there have been vulnerabilities including lack of binary protection, unsafe storage of data, unexploited data leakage, weak encryption, and so on; a cybersecurity company report by Arxan: In plain light, the Vulnerability epidemic in mobile finance applications. The report from the Aite Group global research and consulting firm, “There’s a clear systemic issue here-it’s not just an enterprise, it’s thirty firms and it’s across multiple financial vertical services.”
The vast majority -97% of the tested apps did not have the ability to reverse or uncompile applications that have been analyzed and manipulated with binary code protection. And 90% of the apps tested have had unintended data leaks exposing financial app data to other apps on the device, while 80% have found that weak encryption has taken place, potentially enabling attackers to decrypt sensitive data.
However, one weakness that occurred in 83 percent of the tested applications may be able to give cyber attackers a gift, since these applications have been found to insecurely store data, and sometimes Knight has been able to extract hidden API keys from the device.
“API keys are essentially a personal password that you do not want to get out. It was systemic finding that these private API keys are being found in the code in a multitude of mobile financial services,” she said. “It’s almost as if developers who wrote the code couldn’t really browse the directory organizations of this mobile application and remove the files from them by removing the keys from the subdirectories.”
If an assailant can seize these “crown jewels,” they may reuse the APIs in the name of malicious intention. If I have access to an app’s source code, then I can modify the URL’s and change how the app handles and where data are sent,’ said Knight.’ The company has not identified any apps to risk additional attacks,’ he said. Rusti Carter, Vice President of Arxan Product Management,
“Much of this was done last year in Eastern Europe with this repackaging and distribution of apps. They had been going to a lawful Bank, but they also ex-filtrated all the data at the same time. “There clearly is a problem. You have to know that opponents are beginning to target this area.
This is the new boundary, it is a new area of concern for opponents, and this report is intended to get financial services businesses to understand just how big a problem they have is and how to deal with it,” said she.