Mobile Commerce Apps Fail Security Tests
One in four mobile banking and financial transaction apps examined by digital forensics and security firm Via Forensics failed fundamental security tests, the company said.
The Oak Park, Ill., company tested dozens of apps and found numerous glaring problems, such as banking passwords that proved easy to find on a mobile device. User names also were easy to find on some phones, the company said.
Final results showed 44% of the tested apps passed, 31% received a “warning” (some data were leaked but the risks were not deemed to be grave), and 25% failed.
Among the apps that failed, the company said, were Groupon (Android version), Mint (Android, iPhone), Netflix (Android) and the Starbucks card (Android).
For example, the Starbucks card (an unofficial card, about which Via Forensics specifically noted, "Via Forensics does not claim Starbucks is responsible for the quality or problems with this mobile application") failed because it insecurely stored the user’s credit card number, Via Forensics said, while Groupon failed for the same reason.
Personal financial planning app Mint failed, said Via Forensics, because the app retained user name; if PIN is set to protect data, it is stored unencrypted; and the app retained account info, transactions, balances and alerts.
Among the apps that got warnings are Amazon Mobile (iPhone, Android), Best Buy (iPhone, Android), eBay (Android, iPhone, and PayPal (iPhone only - Android app passed).
No credit union mobile apps showed up on the list.
Banks with rated apps include Bank of America (pass), Chase (warning for iPhone, pass for Android), CitiBank (pass), USAA (pass) and Wells Fargo (pass).