The Bethesda, Md.-based application protection provider ArxanTechnologies’ latest report found mobile banking and payment appsare susceptible to code tampering and reverse engineering. It alsodiscovered Android apps more secure than iOS apps.

Arxan’s “2016 State of Application Security Report,” releasedTuesday, also found financial services organizations are among the top targets forhackers seeking high-value payment data, intellectual propertyand other sensitive information.

“The two areas where the risks are the greatest are the lack ofbinary protection and dealing with the transport of the applicationbetween the mobile app and the backend server,” Patrick Kehoe,chief marketing officer for Arxan, told CU Times. “What weare finding is that many organizations are lagging in terms ofaddressing some of the new risks unique to the mobileenvironment.”

The report revealed all of the top mobile banking and payment apps tested held at least one “Open WebApplication Security Project Mobile Top 10 Risk." In addition,all the mobile banking and payments apps tested were susceptible tocode tampering and reverse engineering.

In addition, 50% of the Android mobile finance apps testedcarried at least three OWASP Mobile Top 10 Risks, whereas all ofthe iOS apps tested had at least three top risks.

Organizations often use mobile apps to make their customersstick, but tend to overlook critical security measures as they rushto bring new apps to market, Kehoe explained.

“Baking in robust mobile app security is not only a smarttechnology investment to keep the bad guys out, but also a smartbusiness investment to help organizations differentiate from thecompetition and to achieve customer loyalty based on trust,” hesaid.

According to the research, employee, customer and soft IP dataare the top three targets for cyber-attacks in the financialservices market.

“Given that the vast majority of cyber-attacks are happening atthe application layer, one would think that robust applicationsecurity would be a fundamental security measure being aggressivelyimplemented and increasingly required by regulators, particularlygiven the financial services industry’s rapid advancement towardmobile and IoT,” the report stated.

The report also found most consumers would change providers ifthey knew their apps were not secure. Eighty percent of mobile appusers said would change providers if they knew the apps they wereusing were not secure, and what’s more, 82% would change providersif they knew alternative apps offered by similar service providerswere more secure.

Despite spending an average of $34 million on mobile appdevelopment, half of the companies surveyed devoted zero dollars tomaking sure their apps meet OWASP Mobile Top 10 Risks industrysecurity standards, according to the research.

“In financial services, and other industries, it has been aboutspeed to market. Developers are under a lot of pressure to pump outthese apps,” Stephen McCarney, vice president of marketing forArxan Technologies, said.

Kehoe recommended financial services organizations hardenapplications so they are not susceptible to reverse engineering,build run time protections into applications (particularly mobileapps) to thwart tampering and malware attacks, and protectcryptographic keys so they are not visible statically (i.e., whileresiding on a device) or at run time in memory.

“Hardening and run-time protection can be achieved with noimpact to your source code, via an automated insertion of ‘guards’into your the binary code,” Kehoe said.

Arxan commissioned a third-party, independent researchorganization in November 2015 to conduct the electronic survey withthe following 1,083 individuals in the U.S., the U.K., Germany andJapan: 815 consumers who use mobile health and mobile finance apps,and 268 IT decision makers within organizations that produce mobilehealth and mobile finance apps.