More than three-fourths (76 percent) of mobile banking vulnerabilities can be exploited without physical access to the device is just one of numerous sobering findings from Positive Technologies in a report released today.
The research, which began in 2019, did not name the banks or the apps that have been downloaded more than 500,000 times each from Google Play and Apple’s App Store.
Among Positive Technologies’ conclusions, which studied both clients and servers:
• 100 percent of mobile banking clients contain code vulnerabilities due to a lack of obfuscation.
• None of the tested mobile banking applications has an acceptable level of protection.
• With almost all the tested applications, attackers can access user data.
• In 13 out of 14 applications, attackers can access user data from the client side.
• Half of the 14 banking apps studied are vulnerable to fraud and theft of funds.
• Hackers were able to steal user credentials from five of seven banks.
• At one third of the banks, card information is at risk.
• On average, each mobile bank has 23 server-side vulnerabilities.
• 43 percent of applications store important user data on the phone in clear text.
Generally, iOS devices fared better than Android with Apple apps rating no vulnerabilities “worse than medium,” but they still were still deficient. By contrast, Android banking apps contained “high-risk” vulnerabilities.
Positive Technologies stated that the reason why 100 percent of banking clients contain code vulnerabilities is that they don’t protect against code injection and repackaging. In addition, the code contains the names of classes and methods.
The report noted that all attackers need to do to exploit code vulnerabilities is download the application from Google Play or the App Store and then decompile it.
Lack of obfuscation allows attackers to find important data such as:
- Testing-related usernames and passwords
- Encryption keys and parameters from which keys can be derived
- Salts for hashing and encryption
Attackers can then use this information to obtain credentials and access web servers.
Positive Technologies noted that 67 percent percent of attacks against individuals in Q4 2019 involved social engineering.
To exploit client-side vulnerabilities, all an attacker would need to do is convince the victim to install a malicious app, perhaps with the help of phishing.
Banking apps’ screenshots – present in 11 of 14 mobile banks – present another major vulnerability in that they can contain sensitive data, such as card information and account balances. The client-side file system of almost half of applications contains unencrypted sensitive information. To access this data, attackers need root or jailbreak rights to device, often gained remotely by means of malware. In 87 percent of cases, user interaction is required for a vulnerability to be exploited.
Positive Technologies found that only one banking app contained an SSL certificate, making the rest of them vulnerable.