Increased attention on cybersecurity risks and tightened regulations have not translated into secure mobile finance apps, with 77% of them having at least one serious vulnerability that could lead to a breach of data, reveals a new report.
“The assessment uncovered serious security gaps in mobile finance apps across the board and in every region,” reads the 2021 State of Mobile Finance App Security Report published by Silicon Valley-based Intertrust, which provides trusted computing products and services to leading global corporations.
The Intertrust team, led by CEO Talal Shamoon, analyzed 160 publicly available mobile finance applications split evenly between iOS and Android from four major categories, namely banking, mobile payment, investment/trading, and lending.
The apps investigated originated in the United States, the United Kingdom, the European Union region, Southeast Asia, and India.
“Every app tested had at least one basic security issue. Diving in deeper, 88% had cryptographic issues, 81% can leak data, and 77% contained flaws that present high-level risks to finance organizations and their customers,” the report says.
Security lagging behind
Thanks to the coronavirus, time spent in finance apps jumped by 45% last year, activity in investment apps increased by 88%, and mobile wallet point-of-sale transactions picked up by 19.5%, helped by higher limits for contactless payments.
The findings of the Intertrust study suggest that while the pandemic accelerated the world’s shift to digital financial channels and innovative technologies such as mobile contactless payments, mobile financial application security is not keeping up.
“As mobile finance apps increasingly enter people’s everyday lives, it’s vital to understand the security risks associated with these apps and the ways to help mitigate them,” said David Maher, chief technology officer and executive vice president at Intertrust.
Poor financial app security puts financial organizations and their customers at risk, especially considering the rise in cyberattacks over the course of COVID-19, he added.
In mid-2020, the FBI issued an alert about an increase in attacks on mobile finance applications, including banking trojans and fake/cloned banking apps.
“The number of new mobile banking trojans more than doubled over the previous year, incorporating new techniques to inflict maximum damage,” Intertrust wrote, citing the findings of Kaspersky Labs.
The report highlights that malware targeting mobile finance applications remains one of the fastest growing and rapidly-evolving cyber threats. In 2020, 156,710 new mobile banking trojans were detected, more than doubling over 2019.
“Mobile finance threats also continue to grow more sophisticated, incorporating new techniques to steal data while avoiding detection by security tools,” warns Intertrust, a pioneer in digital rights management (DRM) technology.
App security by OS
According to the 2021 State of Mobile Finance App Security Report, both iOS and Android rank in the top ten most vulnerable operating systems for total number of distinct vulnerabilities.
“In our testing, Android apps had far more issues than iOS apps. On a per app basis, nearly every Android finance app (97.5%) had more than five security flaws compared to around 30% of iOS apps. When looking at severity level, however, the gap narrows. Approximately 84% of Android finance apps contained at least one critical or high severity vulnerability versus 70% of iOS apps.”
App security by region
Intertrust found considerable variations between geographies in app security levels. Its analysis shows that UK finance apps contained far fewer security issues than apps from other regions—only 7% had more than 10 vulnerabilities compared to 38% of apps in India and Southeast Asia, 29% of apps from the EU, and 19% of U.S. finance apps.
Apps from the UK also contained the lowest number of critical vulnerabilities compared to other regions, while apps in Southeast Asia and India performed the weakest in terms of security.
“The results suggest that the strict financial services security and data privacy regulations in the UK and EU strongly impact financial app security. Beyond the requirements themselves, which generally provide a minimum baseline, such regulations encourage app developers to understand security considerations and take app defense more seriously,” the report noted.
App security by financial app type
Banking apps, as Intertrust says, proved to be remarkably more vulnerable both in terms of total number of issues and severity—35% had more than 10 vulnerabilities and 81% at least one critical or high severity issue.
Payment apps fared just slightly better at 29% and 75%, respectively. Lending apps claimed the most secure spot, “possibly because of their more limited functionality”.
Boosting finance app security
Intertrust argues that the rapidly evolving threat landscape makes it crucial for financial institutions to prioritize their mobile application security as security breaches may push customers to other providers or to abandon these channels altogether once health and safety concerns abate.
Some of its recommended improvements include following basic secure app design practices, testing regularly and following a DevSecOps framework so that security is part of the development lifecycle, staying on top of the latest regulatory changes and security compliance requirements such as GDPR and PCI-DSS, boosting security with in-app protection, and protecting cryptographic keys.
“Proper risk-assessment requires that you be aware of your user’s security status as well as your own,” the report added.
Disclaimer: This article mentions a client of an Espacio portfolio company.