Blog article
See all stories »

Living like the 3 per cent: Delivering secure user experience on financial apps

What kind of financial windfall would it take to put you into the 1% — to enable you to leave your job, climb aboard your yacht, and eat avocado toast for breakfast, lunch, and dinner? The answer to that question varies depending on your location: from $81K per year in India, to $290K in the UK, and a massive $891K in the United Arab Emirates (pretax, for those of you doing the math at home).

While membership in this elite club is not achievable for most of us, it is still possible to become a top-tier member of a different group: the 3%. This select group is not measured by how many homes they have nor by their investment portfolio, but rather by how well they steward the resources of others that have been entrusted to them.

A recent report published by Arxan Technologies examined 30 different financial services apps available on the Google Play store and found very few that provided adequate security for their users. Despite the fact that these were supplied by financial institutions, for whom trust is essential for their business, application security was found wanting.

The issues discovered were wide ranging – 43% of apps were vulnerable to attacks that can run code on the mobile device itself injected into the app as it ran — allowing adversaries to run their own code as the logged-in user. Alongside this, 80% of the apps used relatively weak encryption, creating an easy attack vector for malicious actors to pilfer sensitive data embedded in and used by these apps. Furthermore, 83% of the apps chose to store sensitive data in the device’s file system, in external storage or on the clipboard — which circumvents any access restrictions that the app might normally enforce. This allows any anonymous user (or other app) to access sensitive data that should have been protected. The most common issue, however, was the lack of binary protection for these financial apps to prevent reverse engineering. This means that attackers could take the applications and decompile them to examine their source code; this allows for the discovery of other vulnerabilities to exploit along with the exposure of any sensitive data hard-coded within the app itself. This final issue automatically reduced the number of apps without issues to a grand total of 3%.

Only 3% of financial apps within this study delivered a secure experience for their users, demonstrating that these financial institutions could be trusted to handle their customers’ data and finances responsibly. This, of course, is the 3% that all financial institutions should aspire to belong to; with each passing headline, customers are realising the importance of choosing financial providers who have invested in proper security controls to protect their interests.

Studies such as this one call attention to the fact that with each passing day, it becomes more apparent that security cannot be an afterthought for today’s businesses. It must be a mindset that pervades all aspects of the organisation; from establishing an identity program to provide access and ensure compliance with regulation, to having access to sensitive resources enforced in depth. Moreover, organisations must ensure – as this report highlights – that application security is at the forefront of every software architect and developer so that the applications and software that represent a financial institution to the world communicates responsible handling of important customer assets and data.

For those organisations that take security lightly, it is at their own peril – not only putting the relationship with customers at unnecessary risk but also finding themselves living below what one analyst called “the Security Poverty Line.” Financial institutions wanting to thrive in today’s business environment must invest a coherent security program and deliver a secure, trustworthy interaction for clients — which will elevate them into that rarefied air of the 3%.

 

5098

Comments: (2)

Maximiliaan Van De Poll
Maximiliaan Van De Poll - Cybernetica - Tallinn 10 April, 2019, 11:37Be the first to give this comment the thumbs up 0 likes

Good post, Mike. Often the focus for financial institutions' security is strong authentication, but poorly protected apps can render many strong authentication solutions useless. 

I think it's a combination of the two that can secure entry to the, not nearly coveted enough, 3%.

Mike Kiser
Mike Kiser - SailPoint - Austin, Texas 11 April, 2019, 09:111 like 1 like

Yes! It’s always the visible components of security that get the attention — to the detriment of defense-in-depth. Application security is about changing the core of the organisation – so that everyone from the board down to the developer creating the application has security as a core value.