The majority of mobile banking apps are vulnerable to threats, according to a new report from Positive Technologies. What’s more, most of the vulnerabilities are from server-side, not client-side.
Testing mobile banking apps for an “acceptable” level of security, the company found the greatest threat from client-side is unauthorised data access, with 43 percent of apps storing valuable data on the device itself and in cleartext.
Vulnerabilities in most mobile banking apps (76 percent) can also be exploited without physically accessing the device, and more than a third of these flaws can be exploited even without admin privileges, the report states.
iOS seems to be faring better than Android, given that none of the Android banking apps tested have flaws worse than “medium” severity, while almost a third (29 percent) of Android apps have high-risk flaws. This, the report argues, is due to the fact that Android developers have “more freedom of implementation”.
When it comes to the server side, each mobile bank has 23 vulnerabilities on average. Almost half of these (43 percent) are found in business logic, which can result in “significant losses and legal complications.”
“We urge that banks do a better job of emphasising application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle," said Olga Zinenko, Analyst at Positive Technologies.