Vulnerabilities in financial apps expose sensitive data and source code

• Aite Group tested 30 Android financial apps that are available for download in the Google Play store and found several vulnerabilities in the apps.
• These vulnerabilities could expose source code, sensitive data, access to other apps via APIs, and more.

What is the issue - Aite Group tested 30 Android financial apps that are available for download in the Google Play store and found several vulnerabilities in the apps.

The vulnerabilities include a lack of binary protections, insecure data storage, unintended data leakage, weak encryption, and insecure random-number generation.

Why it matters - These vulnerabilities could expose source code, sensitive data, access to other apps via APIs, and more.

More details on the analysis

• Lack of binary protection - Of the 30 apps that were tested, almost 97% of the apps were found to lack binary code protections, allowing reverse engineering or decompilation of the apps thereby exposing source code to analysis and tampering.

• Unintended data leakage - Among the tested apps, 90% of the apps exposed data from the financial app to other apps on the device.

• Insecure data storage - 83% of the apps tested insecurely stored data externally in a device’s local files system and shared access to the stored data with other apps on the device via APIs.

• Weak encryption - 80% of the apps that were tested could allow attackers to decrypt sensitive data and steal them due to the implementation of weak encryption algorithms.

• Insecure random-number generation - 70% of the apps used an insecure random-number generator that allows the values to be easily cracked by adversaries.

Why it matters?

“There's clearly a systemic issue here – it's not just one company, it's 30 companies and it's across multiple financial services verticals,” Alissa Knight, cybersecurity analyst at Aite Group and the researcher behind the study told ZDNet.

“API keys are basically that private password you don't want to get out. What was a systemic finding across multiple financial services mobile apps was that these private API keys were being found in the code. It's almost as if the developers who wrote the code didn't realise that it's possible to actually browse the directory structure of this mobile app and pull these files out, pull the keys out of subdirectories,” Knight added.