Security Risks in Mobile Banking Apps: Half Are Vulnerable to Theft

By Ava McKinneyOnline Safety

Half of Mobile Banking Apps Are Vulnerable to Theft

Experts from Positive Technologies have analyzed mobile banking applications and found that more than half of all vulnerabilities are located in the server-side components of these apps. Fraudulent transactions and theft of funds are possible in every second mobile banking app.

Study Overview

The study examined 14 fully functional mobile banking applications for Android and iOS, each downloaded from the official Google Play and App Store at least 500,000 times. The creators and owners of these apps consented to testing and the use of results for research purposes.

Researchers report that none of the analyzed mobile banking apps have an acceptable level of security. Both client-side and server-side components are at risk.

Client-Side Vulnerabilities

The main threat to the client side is potential access to user data, as 43% of apps store sensitive information on the mobile device in plain text. Additionally, 76% of vulnerabilities can be exploited without physical access to the device, and over a third do not require administrative privileges.

According to experts, all vulnerabilities found in iOS mobile banking apps were no higher than medium risk. In contrast, 29% of Android apps contained high-risk vulnerabilities. The most dangerous vulnerabilities in Android apps are related to insecure handling of deeplink links. Android app developers have more opportunities to implement various features, which experts see as the main reason for the higher number of vulnerabilities in Android apps compared to iOS.

Distribution of Vulnerabilities by Risk Level

The analysis showed that 54% of all vulnerabilities are found in the server-side components of mobile banking apps, with each server-side component containing an average of 23 vulnerabilities. Three out of seven server-side components had business logic errors, which could be exploited by attackers to commit fraud or obtain confidential user data. Such errors can lead to significant financial losses for banks and even legal action.

Fraudulent transactions are possible in every second mobile banking app. Authentication data proved to be the most vulnerable aspect of mobile banking applications.

“Unauthorized access to the app is usually caused by flaws in authentication or authorization,” notes Positive Technologies analyst Olga Zinenko. “Our research showed that user accounts in mobile banking apps are accessible to attackers in five out of seven server-side components. Information available to attackers includes users’ names and surnames, account balances, transfer receipts, card limits, and the ability to link a payment card to a mobile phone number.”

Top 10 Issues in Mobile Banking Apps

Positive Technologies experts advise banks to pay more attention to security both at the design stage and during development. Given the large number of flaws in source code, it is recommended to revise development approaches: implementing secure development processes and monitoring app security throughout its lifecycle can be a solution.

It is also important to note that exploiting 87% of vulnerabilities requires some action from the user. Experts strongly recommend that users avoid granting administrative privileges to their operating system, install apps only from official stores, avoid visiting suspicious websites or clicking links from messengers or SMS, and keep their OS and mobile apps updated.

Average Number of Vulnerabilities per App

  • More than half of vulnerabilities are found in server-side components.
  • Each server-side component contains an average of 23 vulnerabilities.
  • Business logic errors are present in nearly half of the apps tested.

Leave a Reply