Approov, the end-to-end mobile security provider, today issued findings showing that 92% of the most popular banking and financial services apps contain easy-to-extract secrets such as API keys, which could be used in scripts and bots to attack APIs and steal data, devastating consumers and the institutions they trust.
The Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany from the Google Play Store, investigating a total of 650 unique apps. Ninety two percent of the apps leaked valuable, exploitable secrets and twenty three percent of the apps leaked extremely sensitive secrets.
As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime. Only 5% of the apps had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time.
“Have we all unknowingly become beta-testers for financial services apps? Is this putting our personal finances at risk? Continuing news about breaches seems to indicate this is the case and it is unacceptable!” said Approov CEO Ted Miracco.
“This research shows hardcoding sensitive data in mobile apps is widespread and a massive problem since secrets can easily be extracted. A simple automated scan can show any threat actor how well protected apps are at runtime. Unfortunately, financial apps fall short,” Miracco added.
None of the 650 apps “ticked all the boxes” in terms of the three attack surfaces investigated. All failed in at least one category.
Only four apps had runtime protection against channel MitM attacks and “man-in-the-device.” All were payment and transfer apps and none were in the U.S.
In general, apps deployed in Europe were better protected than apps available only in the U.S., for immediate secret exposure and runtime protections. This may be due to stricter privacy rules in Europe and more focus on security.
Crypto apps were more likely to leak sensitive secrets as 36% immediately offered highly sensitive secrets when scanned.
Only 18% of personal finance apps leaked sensitive information, possibly because they are less dependent on sensitive APIs.
For Man-in-the-Device attacks, traditional banks are twice as likely to be well protected over other sectors reflecting the use of packers and protectors to protect against run-time manipulation.
The Approov Mobile Threat Lab report is available here
The report explains the approach and provides detailed findings. Using this report, financial services teams can replicate tests performed and check the security of their apps without delay.