Positive Technologies Experts have studied mobile banking applications and found that more than half of all vulnerabilities are contained in the server parts of the applications, and in every second mobile bank fraudulent transactions and theft of funds are possible.
For the study, 14 full-featured banking mobile applications for Android and iOS were selected, downloaded from the official Google Play and App Store at least 500,000 times, the creators and owners of which did not mind testing and using its results for research purposes.
Researchers report that none of the investigated mobile banking applications has an acceptable level of security. Both client and server parts of banking applications are at risk.
For the client part of applications, the main threat is possible access to user data, because 43% of applications store important data on a mobile device in the clear. At the same time, 76% of vulnerabilities can be exploited without physical access to the device, and more than a third of vulnerabilities do not require administrative rights.
According to experts, all the shortcomings identified in mobile banks for iOS were no higher than the average risk level. While 29% of Android apps contained high-risk vulnerabilities. The most dangerous vulnerabilities have been identified in Android applications and are associated with insecure processing of deeplink links. Android app developers are given more opportunities to implement various functionality. It is in this that experts see the main reason for the greater number of vulnerabilities in applications for Android in comparison with iOS-applications.
According to the analysis, 54% of all vulnerabilities are contained in the server parts of the mobile bank, and the server part of each mobile bank contains on average 23 vulnerabilities. At the same time, three of the seven server parts of the applications contain business logic errors. We are talking about the functionality that cybercriminals can use to carry out fraudulent transactions or obtain confidential user data. Mistakes in business logic can cause significant financial losses to the bank and even lead to litigation, experts say.
Every second mobile bank may carry out fraudulent transactions. The most vulnerable in mobile banking applications turned out to be authentication data.
“Unauthorized access to the application is usually caused by deficiencies in authentication or authorization,” Olga Zinenko, analyst at Positive Technologies, said. – Our study showed that user accounts of mobile banks are accessible to cybercriminals in five of the seven server parts. Among the information available to the violator: the names and surnames of users, the value of the balance of funds, receipts for transfers, bank card limits, as well as the ability to establish the relationship between the payment card and the mobile phone number. ”
Positive Technologies experts advise banks to pay more attention to security issues both at the design stage of mobile applications and at the development stage. Due to the large number of shortcomings in the source code, it is worth revising development approaches: the solution may be the introduction of safe development processes and monitoring the security of the application at all stages of its life cycle.
It should also be borne in mind that in order to exploit 87% of vulnerabilities, an attacker needs some actions on the part of the user. Experts strongly recommend that users do not increase privileges in the OS to administrative ones, install applications only from official stores, do not visit suspicious sites and do not follow links from instant messengers or SMS, and update the OS and mobile software in a timely manner.