Threat of the Week: Mobile Banking App Flaws
The headlines screamed: “Major security flaws found in 90% of Top Mobile Banking Apps.”
Major news outlets, banking and tech publications in recent weeks have been covered multiple, devastating reports that allege substantial security flaws that plague most mobile banking apps.
Both major platforms - Apple (iOS) and Android - were said to be riddled with flaws. While Apple might presently be a bit safer, the reports insisted there lately has been an avalanche of security issues in the iOS platform.
The frequently quoted report from security firm Praetorian bluntly stated: eight of 10 mobile banking apps contain security weaknesses.
The news gets worse.
“We found more weaknesses in mobile banking apps at credit unions,” said Josh Abraham, director of services at Praetorian. “They rely more on third party developers than mega banks; perhaps that is the reason.”
Understand this: the third party developers contacted by Credit Union Times for this story who provided interviews are adamant that the reports are hooey, and that their own apps are safe. Their responses follow later in the story. Digital Insight was the only large apps developer that declined to make an executive available for an interview.
For now, however, feast on the alleged flaws.
At IOActive Labs Research, Ariel Sanchez said he had sifted through 40 iPhone and iPad mobile banking apps from 60 of the top financial institutions around the world.
He added: “40% of the audited apps did not validate the authenticity of SSL certificates presented. This makes them susceptible to Man in The Middle (MiTM) attacks.”
IOActive declined a reporter’s request to be interviewed for this story.
“We are not promoting the story further than what is already published on the blog,” said Craig Brophy, global public relations manager.
Another set of worries was put forward in a report from security firm Arxan which found, in a survey of the top 100 paid apps for Android and iOS along with the top 15 free apps in both platforms, 100% of the top paid apps in Android and 56% of the top paid apps in iOS had counterfeit versions circulating in gray markets.
The problem: a counterfeit mobile banking app could easily include dangerous code that might give a criminal log in information, among other useful tidbits.
Arxan stressed that it is seeing much more hacker interest in iOS apps and Apple can no longer be considered a safer harbor,
In an interview, Arxan chief technology officer Kevin Morgan nonetheless acknowledged that, in his opinion, “no question, mobile banking app security is improving.”
But he also said that the incidence of counterfeit apps – where variants may contain toxic malware – is on the rise and many institutions have slender defenses against counterfeits.
Of course the easiest defense is for users to only download apps from the official Apple Apps store or, for Android, Google Play or the Amazon Apps store. But many users are tempted to download elsewhere, and when they do, their potential exposure to rogue counterfeits explodes.
Arxan sells counterfeit detection tools and its testimony has to be filtered through that lens. But the company is adamant: the incidence of counterfeit apps is on the rise as criminals realize it is a comparatively easy way to get a malware payload into the hands of gullible users.
At Praetorian, tests were specifically run on mobile banking apps at the 50 largest credit unions, along with apps from money center and regional banks.
Tests discovered that “8 out of 10 mobile banking applications contain build and configuration setting weaknesses.”
None of the flaws fingered by Praetorian appear to be grave threats to users’ financial health. But that does not change the conclusion that almost all mobile banking apps suffer from structural sloppiness that, suggested Praetorian in an interview, probably stems from the app being rushed to market some time ago, with insufficient attention to security. And, since then, no one has bothered to clean up the apps.
Add up those three reports and the evidence is devastating. But there is another side to this story.
Doug Brown, a senior vice president and general manager of mobile at FIS, which may be the largest provider of third party apps to financial institutions since it acquired mFoundry early in 2013, acknowledged that there has been a dramatic increase in criminal interest in the mobile banking channel.
“That has grown as the channel has grown,” said Brown, who expects mobile to eclipse online banking in volume this year.
The criminal interest follows accordingly.
But, insisted Brown, there are no known vulnerabilities or flaws in FIS’s mobile banking apps and, said Brown, FIS would know because it continually submits apps to third party testing firms for validation.
The instruction to those firms is simple: Find flaws, exploit them.
Brown does not say the firms never find flaws but, as they do, the flaws are patched and this happens before the apps are in end user hands.
He specifically said, regarding the allegation of epidemic flaws in iOS apps, “None of the vulnerabilities associated with iOS apply to FIS apps. We have reviewed this in detail. We have a set process. We do multiple certifications, and we make reports available to our clients.”
Brown added that his advice is don’t take the salesman’s word.
“Validate what your third party apps developer is saying. Ask to see the testing reports. Whenever we are asked, we provide them to clients,” he said.
At Malauzai, a smaller mobile banking apps developer in Austin, Texas, chief technology officer Robb Gaynor, said similar in an interview: “we get independent verification of our software from third parties. We have to prove to our customers that our apps are secure.”
He added, “One breach and we could be out of business. Everybody at Malauzai knows that and we all work to prevent that happening.”
Malauzai’s chief technology officer Danny Piangerelli added that he had been over the many reports in detail and, he said, that most of the flaws pointed to in the reports had been known to apps developers for some time and fixes had been found.
He stressed that in Malauzai’s app, “we keep sensitive data off the device wherever possible anyway. What data does stay on the device is encrypted.”
Added Gaynor: “We know of no breaches involving our apps. None. But we also know that diligence has to be our watchword.”
At Fiserv, which said it has 1400 mobile banking clients, solidly placing it among the leading providers, senior vice president Jim Tobin said “we do not make compromises on security - that is core to how we do business. We take a multi-layer approach, we want to find issues before the bad guys do. Knock on wood. We have found issues but we find them before the bad guys do.”
Tobin stressed the importance of the fight.
“In much of the world, mobile is the Internet,” and, he said, “security is not one and done. It takes constant vigilance. The good guys have the odds in their favor. The smart money has come into mobile security.”
From his perch as president of Appthority, a risk analysis firm, Domingo Guerra broadly summed up his perspective on mobile banking apps.
We have seen improvement over time in mobile app security. Just in the last 18 months we have seen a lot of improvement,” he said.
He added: “Many mobile bank apps started as marketing tools – find an ATM, that sort of function. As the apps started to do more money transfers, security got more involved. Financial institutions really began to invest in app security and you see it.”