Banks scramble to fix mobile app security flaws

Several major financial services firms, including Bank of America, Wells Fargo and PayPal, have rushed to fix security flaws in their iPhone and Android apps identified by viaForensics.

The mobile security specialist says its appWatchdog findings show flaws in apps from Bank of America, Chase, TD Ameritrade, USAA, Wells Fargo and PayPal. The only tested company with a clean bill of health was Vanguard.

The apps have been storing user's information in the memory of their phones, which means criminals could glean valuable data if they stole the handset or lured victims to malicious sites.

According to the Wall Street Journal, Wells Fargo has updated its Android app after it was revealed that the previous version stored the account holder's username and password on the phone in plain text.

Meanwhile, Bank of America's Android app saves the answer to a security question in plain text on the handset. The firm told the WSJ that the issue does not pose a threat to customers but it is still being fixed.

PayPal has updated its iPhone app and TD Ameritrade is in the process of rolling out updates for its iPhone and Android offerings.

Andrew Hoog, chief investigative officer, viaForensic, told the WSJ: "It's not the end of the world. But it's just sloppy. These guys should not be storing this data on a phone."

Banks Rush to Fix Security Flaws in Wireless Apps - WSJ

Related Companies

PayPal Bank of America JPMorgan Chase Wells Fargo TD Ameritrade

Channels

Retail banking Security

Keywords

Mobile & online banking

Comments: (2)

Stephen Wilson - Lockstep Consulting - Sydney 08 November, 2010, 20:15

Be the first to give this comment the thumbs up

0 likes

Good grief! I agree thiese mistakes aren't the end of the world, but they're much more serious than "just sloppy". They are symptomatic of a horrible lack of attention to detail on the part of software designers. We all know that the poor security of Internet banking today derives from lax architectures and designs in the early days of the Internet. Those who developed TCP/IP and other protocols had no idea the Internet would be used for serious commerce, so they overlooked the need for communications integrity, tamper resistance, authentication etc.

Let's not make the same mistake again! Everyone seems to think that mobile and the cloud are the future of commerce. Some even say that phones will replace plastic cards! That's a huge call. You would expect that commensurate care and attention would go into all facets of the engineering of mobile apps. But no, the future of commerce appears to be in the hands of hack programmers.

Report abuse

A Finextra member 09 November, 2010, 10:29

0 likes

This type of issue is symptomatic of some organisations approach to App development, and to some extent is the fault of the development community in the mobile environment. To date most developments are immature, and the level of process, testing and QA applied to App development is not at what would be an acceptable level in traditional developments.

For true enterprise class mobile applications to be a success, the rigour applied to traditional developments need to be applied to mobile developments, ok this means an increase in cost in the initial development - but this will drive down the total cost of ownership in the long term if approached in the correct manner.