Mobile finance app security report: 84% Android & 70% iOS fintech apps have at least one critical vulnerability
It´s time to embrace in-app security. A study of over 150 mobile finance apps reveals a high level of security vulnerabilities across both iOS and Android, highlighting the importance of in-app security.
Many called 2020 the year of fintech apps. The 2020 fintech market saw the proliferation of apps such as Nubank, MoneyLion, Revolut, N26, and Planto, which boast of user-friendliness and ease of use.
The number of user sessions in finance apps have increased by up to 49% over the first half of 2020. Over the same period, cyberattacks against financial institutions have gone up by 118%, according to VMware.
This means fintech user data got that much more vulnerable. As the convenience and accessibility of financial apps increases, so do the risks from banking trojans, hacks and data breaches. Data breaches have been piling up since last year, and finance apps are the most vulnerable. Recently, a third-party data breach exposed the personal information of over 7.5 million users of a banking app.
To discover the biggest threats and security gaps, David Maher, CTO and EVP at Intertrust, along with his team, analyzed more than 150 of the top financial apps worldwide. The results were just released in the latest report 2021 State of Mobile Finance App Security Report, and the findings are startling.
According to the results, every app had at least one security flaw, with banking apps containing more vulnerabilities than any other type of finance app. The report also states that 81% of finance apps leak data, while 49% of payment apps are vulnerable to encryption key extraction. 84% of Android apps and 70% of iOS apps have at least one critical or high severity vulnerability.
These security vulnerabilities were found across both iOS and Android, highlighting the importance of in-app security. In fact, the report states that almost three-fourths of high-level threats could have been mitigated using in-app protection.
As mobile finance apps increasingly enter people’s everyday lives, it’s vital to understand the security risks associated with these apps and the ways to help mitigate them
“As mobile finance apps increasingly enter people’s everyday lives, it’s vital to understand the security risks associated with these apps and the ways to help mitigate them,” said Maher.
“Poor financial app security puts both financial organizations and their customers at risk, especially given the rise in cyberattacks over the course of the pandemic. This report shines a light on the ongoing threats and helps finance app vendors understand the importance of building in security mechanisms from day one,” he added.
Intertrust is a digital rights management (DRM) technology pioneer and a leading provider of application security solutions. The company holds hundreds of patents that are key to Internet security, trust, and privacy management components of operating systems, trusted mobile code and networked operating environments, web services, and cloud computing.
Intertrust provides computing products and services to leading global corporations, from mobile, consumer electronics, and IoT manufacturers, to service providers and enterprise software platform companies. These products include the world’s leading DRM, software tamper resistance, and technologies to enable private data exchanges for various verticals including energy, entertainment, retail/marketing, automotive, fintech, and IoT.
iOS or Android In-app Security is a Must
The findings from the report clearly point to the fact that whether users are accessing fintech apps on iOS or Android, in-app security is an absolute must.
The analysis included more than 150 mobile finance applications split evenly between iOS and Android and includes insights from four major financial sectors, payments, banking, investment/trading, and lending.
The apps investigated originated in the US, the UK, the EU, Southeast Asia, and India. They were analyzed using an array of static application security testing (SAST) and dynamic application security testing (DAST) techniques based on the OWASP (Open Web Application Security Project) mobile app security guidelines.
COVID-19 Has Sped Up Fintech but Security Lags Behind
The COVID-19 pandemic has brought in digitization at break-neck speed. Millions of users have become fintech users almost overnight. According to Adjust, fintech app installs grew 51% from 2019-2020, and in 2021, are already up by 12% in Q1 YoY. These numbers have grown especially for investing and stock-related app searches, surging 115% YoY, even as crypto app downloads experienced an 81% growth YoY. Fintech sessions have also been surging at 85% YoY. 2021 has already seen them up by 35%.
While fintech apps have been enjoying this growth, has their security kept up? The Intertrust study findings clearly suggest in the negative.
The findings reveal that while the pandemic has sped up the world’s shift to digital financial channels and innovative technologies like mobile contactless payments, mobile financial application security has not been keeping up.
The study points out that cryptographic issues pose one of the most pervasive and serious threats, with 88% of analyzed apps failing one or more cryptographic tests. This means the encryption used in these financial apps can be easily broken by cybercriminals, potentially exposing confidential payment and customer data, and putting the application code at risk for analysis and tampering. A chilling thought.
Time to Protect the Apps
Looking at the findings revealed by this report, fintech apps are sitting ducks for cyber criminals. Data breaches cause financial losses as well as much distress to organizations as well as users.
It´s high time financial organizations start protecting user data through in-app security. As the report says, nearly three-quarters of high severity threats could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography.
Disclosure: This article mentions a client of an Espacio portfolio company.