The security of mobile banking apps has improved over the last two years but there’s still scope for improvement.
Ariel Sanchez, security consultant for IOActive, has revisited research into the topic first conducted two years ago to see if there’s been any improvement.
Although security has increased over the two years, many apps still remain vulnerable.
As before, the research covered 40 mobile banking apps for iOS in use around the world. Sanchez confined himself to looking for client side security weaknesses or vulnerabilities and didn’t include any server-side testing.
His testing methodology is explained in much more detail in a blog post here. IOActive does not name the apps or the banks who released the apps it tested.
The testing also covered binary and file system analysis. this phase of the audit revealed that 15 per cent of the apps store unencrypted and sensitive information, such as details about customers’ banking accounts and transaction history, in the file system via sqlite databases or other plaintext files.
“Most of the apps have increased transport security of the data by properly validating SSL certificates or removing plaintext traffic,” Sanchez concluded. “This helps mitigate the risk of users being exposed to MiTM attacks.”
“Although the numbers are down overall, there are still a high number of apps storing insecure data in their file system. Many of them are still susceptible to client-side attacks,” he added.
Sanchez added that few of apps provide alternative authentication solutions, with most relying simply on username and password for authentication. Only 17 of the 40 (42.5 per cent) of the apps provided alternative authentication solutions to mitigate the risk of leaking user credentials and impersonal attacks. ®