Consumers use mobile banking apps and other mobile financial services in increasing numbers, and data suggests security plays a significant role in what apps and services consumers choose. To illuminate the present state of mobile banking app security, and help financial institutions focus their mobile security efforts, NowSecure collaborated with Accenture Consulting to study the security of mobile banking apps available on the Apple App Store and Google Play. This week we co-published a whitepaper summarizing our findings.


Download the whitepaper “Mobile Banking Applications: Security Challenges for Banks.”


Consumers care about mobile banking app security

Each year since 2011, the Federal Reserve Board has surveyed consumers about their use of mobile financial services. Forty-three percent of those surveyed in 2015 used mobile banking and 24 percent used mobile payments. Seventy-three percent of respondents cited security concerns as a reason why they didn’t use mobile banking. Sixty-seven percent said security concerns affected their decision not to use mobile payments.

When respondents were asked about specific security issues having to do with mobile banking, only 7.7 percent had no concerns or thought mobile financial services were safe. A quarter of respondents said that someone intercepting their data caused them the most concern.

Federal Reserve mobile financial services survey questionQuestion from the Federal Reserve Consumers and Mobile Financial Services November 2015 survey questionnaire

 

How we assessed the security of mobile banking apps

For the purposes of this study, we performed security assessments on mobile banking apps available from the Apple App Store and Google Play. We selected mobile financial services apps from 15 financial institutions and tested both Android and iOS versions of those apps, resulting in a total sample of 30 apps.

To execute the vulnerability assessments, we used our automated mobile app security testing solution. The assessments subjected apps to an array of static, dynamic, and interactive app security testing (SAST, DAST, and IAST). These checks evaluated both Android and iOS apps’ code, network traffic, permissions, and inter-process communications.

Mobile banking app security assessment results and highlights

We found at least one security issue in every app in the sample, however, not all of those security issues are considered high risk.

Some notable findings from the whitepaper include:

  • 73 percent of Android banking apps had improper SecureRandom implementations (medium severity)
    This was the most common finding in the sample of Android banking apps. A SecureRandom vulnerability is considered medium risk based on a CVSS score of 5.5. For apps that process sensitive and/or monetary transactions, improper SecureRandom implementation should potentially be considered high risk. The SecureRandom class plays a part in key generation, key signing, and random number generation on Android devices. Apps found vulnerable to this check used a static value to generate the SecureRandom variable which can lead to cryptographically weak values.
  • 80 percent of iOS banking apps transmitted TLS traffic that included sensitive data (low severity)
    This was the most common finding in the sample of iOS banking apps. Sensitive data found in TLS Traffic is considered low risk based on a CVSS score of 1.6. For this check, we bypass an app’s certificate validation or pinning to proxy TLS traffic and look for sensitive data. Sensitive data might include username, password, GPS coordinates, and more. Apps that properly implement certificate validation or pinning remediate this risk, but a good practice is to both avoid sending sensitive data over TLS and use certificate validation or pinning.
  • 40 percent of security findings in mobile banking apps involved insecure communications
    The NowSecure Lab Automated solution maps security findings back to the OWASP Top Ten Mobile Risks. Approximately 40 percent of the issues identified in the mobile banking apps we tested mapped to the OWASP M3-Insecure Communication item. A few examples of other security findings identified in the sample that relate to insecure communications include: disabling the “httponly” flag for cookies in iOS, disabling the “secure” flag for cookies in iOS, and improper certificate validation and hostname verification.

Download and read the “Mobile Banking Applications: Security Challenges for Banks” whitepaper to review the results of the study in full and learn tips for how to counter threats to mobile banking apps.


Want to know what to watch out for in securing mobile banking apps? Register for our webinar on Tuesday, May 2: Delivering Secure Mobile Financial Services (MFS): ‘Frictionless’ vs. Diligence” (also available on demand after that date).

What to read next:

Sam Bakken

linkedin icon twitter icon

Former Mobile App Security Testing Evangelist

During his time at NowSecure Sam advocated for keeping mobile devices, apps, and users secure through mobile app security testing.