Intertrust, the pioneer in digital rights management (DRM) technology and leading provider of application security solutions, released their annual 2020 Security Report on US Financial Mobile Apps today, revealing that over 70% of U.S. financial services apps have at least one serious vulnerability that could lead to a breach of financial data. The report investigated 100 publicly available U.S. mobile financial services apps across a range of categories, including banking, investment, and mobile payment, to uncover the most critical financial mobile app threats.
82% of the apps in the study failed one or more cryptographic tests with cryptographic key protection and management issues posing one of the more pervasive and serious threats. Even if app developers use robust cryptography standards, they can fail to protect keys in their apps, allowing hackers to peel away the code and expropriate the key. This means that for financial apps, the encryption they rely on can be easily broken by cybercriminals, potentially exposing confidential payment and customer data and putting the application code at risk for analysis and tampering.
The study’s overall findings suggest that while the COVID-19 pandemic is accelerating the world’s shift to digital channels and innovative technologies like mobile contactless payments, mobile financial application security is not keeping up.
“The troubling results of this analysis indicate that mobile financial app developers still need to pay closer attention to secure coding practices,” said Bill Horne, general manager of the Secure Systems product group at Intertrust. “The good news is that application shielding strategies and technologies are available that can help financial organizations improve the overall security of their applications.”
The Intertrust Security Report on U.S. Financial Mobile Apps presents the results of an audit of 100 iOS and Android mobile applications of U.S. financial organizations, conducted by a third-party expert. All 100 apps were analyzed using an array of static application security testing (SAST) and dynamic application security testing (DAST) techniques based on OWASP (Open Web Application Security Project) mobile app security guidelines.
Highlights from the security report include:
- Almost every app analyzed (98%) contains security vulnerabilities.
- 71% of tested U.S. financial services apps have at least one high level security vulnerability. A vulnerability is classified as high if it can be readily exploited and has the potential for significant damage or loss.
- A vast majority of financial services apps (82%) have mishandled and/or weak encryption that puts them at risk for data theft and code manipulation.
- 62% of Android apps and 32% of iOS apps are vulnerable to encryption key extraction.
- Approximately 34% of tested Android apps and 16% of iOS apps failed to adequately protect the transport layer, resulting in insecure communications between the app and server—which could potentially expose data and session IDs.
- The majority of financial apps contain multiple security issues with data storage. For instance, 90% of tested Android apps stored information in Shared Preferences, leaving unencrypted data readily readable and editable by attackers and malicious apps.
- Nearly 70% of the high-level threats discovered could have been mitigated using in-app protection.
Financial service organizations interested in Intertrust’s application shielding solution for the finance industry can find more information here.
Intertrust provides trusted computing products and services to leading global corporations–from mobile, consumer electronics and IoT manufacturers, to service providers and enterprise software platform companies. These products include the world’s leading digital rights management (DRM), software tamper resistance, and technologies to enable private data exchanges for various verticals including energy, entertainment, retail/marketing, automotive, fintech, and IoT. Founded in 1990, Intertrust is headquartered in Silicon Valley with regional offices in London, Tokyo, Mumbai, Bangalore, Beijing, Seoul, Riga, and Tallinn. The company has a legacy of invention, and its fundamental contributions in the areas of computer security and digital trust are globally recognized. Intertrust holds hundreds of patents that are key to Internet security, trust, and privacy management components of operating systems, trusted mobile code and networked operating environments, web services, and cloud computing.