Financial Apps Are Not As Safe As You Think

The Rise of Financial Mobile Apps

Financial mobile applications help businesses across all sectors take advantage of growing markets. They create additional value through improved customer experience and reduce costs through process automation. Whether used for traditional banking or payment processing, apps are changing how businesses operate. This steep but steady trend in mobile fintech adoption skyrocketed with the COVID-19 pandemic. 

Time spent on financial apps increased 45% in 2020 and some verticals, such as investment apps, even outpaced the uptick in-game downloads during the pandemic.

This popularity led to a 77% reduction in customer acquisition costs and contributed significantly to the retail investment boom of late 2020. 

The value of financial apps for businesses and their customers is clear. Unfortunately, the value of these apps made them a favorite target of cybercriminals to the point that the FBI issued a PSA warning about cyberattacks on banking apps.

Notable Recent Financial Mobile App Breaches

Hackers used several different methods to attack financial apps in 2020. Here are just a few of the more notable security breaches: 

  • Ghimob banking trojan. This trojan identifies and monitors the installed finance apps on a device and performs fraudulent transactions in the background while the user looks at an overlay screen. 
  • EventBot malware. This malware abused Android accessibility features to steal data, read text messages, and bypass two-factor authentication (2FA). It targeted more than 200 popular financial applications, including those in the U.S., Germany, and the U.K. 
  • Cerberus malware. This malware posed as a cryptocurrency converter app to trick users and reached thousands of downloads before it was detected. 
  • The Dave.com security breach. The details of 7.5 million users of the “Dave” financial app were compromised after the app was hacked through a third-party analytics provider

A Financial App Security Analysis For 2021

Considering how prevalent financial applications are in our daily lives, we chose 160 apps representing business in four major financial sectors: banking, mobile payment, investment/trading, and lending. These apps serve global markets in the U.S., E.U., U.K., South-East Asia (SEA), and India.

All apps were downloaded from Google’s PlayStore or the iOS App Store. We submitted the selected apps for both static and dynamic analysis in order to evaluate vulnerabilities in terms of the Common Vulnerability Scoring System (CVSS).

The overall results of our investigation revealed that the vast majority of apps are at risk. Here are some key highlights:

  • Nearly 85% of Android and 70% of iOS apps contained at least one critical or high severity vulnerability. 
  • The most widespread significant financial app security flaws found in Android apps were weak derived crypto keys (61%) and storing unencrypted information in Shared Preferences (73%). 
  • For iOS apps, the most prevalent and serious security flaws were misconfigured App Transport Security (65%) and storing sensitive information in NSUserDefaults (61%). 
  • In terms of sector, the worst offenders were banking apps, of which 81% contained at least one high severity or critical vulnerability and 35% contained more than ten vulnerabilities. 
  • Other sectors didn’t fare much better, with at least 75% of apps in other fields having critical or high severity vulnerabilities. 
  • Apps from SEA, India, and the E.U. presented the most vulnerabilities, with 38%, 38%, and 29% respectively containing more than ten financial app security flaws.

CLICK TO DOWNLOAD THE DETAILED REPORTThe state of financial app security in 2021

The Risks of Inadequate Fintech Security

The risks to the vendors of financial apps are manifold and continue to negatively impact a business long after the initial attack. Here are some of the most damaging outcomes of a successful fintech security breach. 

  • Data theft – Sensitive personal identifiable information (PII) and other valuable data including names, passwords, and payment card details can be easily accessed through compromised financial apps. Mobile banking trojans such as Anubis and Ghimob, and other mobile malware, use various techniques to exfiltrate data including keyloggers, overlay screens, and exploiting accessibility services.
  • Intellectual property theftApplications often include proprietary algorithms and patented technology, which can be discovered by reverse-engineering the code. A breach that reveals IP could place valuable knowledge assets in the hands of competitors or be used to make counterfeit financial apps that contain banking trojans or other malware.
  • Regulatory fines and damage payments – A wealth of global legislation on data security outlines the penalties for breaches of financial app security. For instance, under the E.U.’s GDPR a firm may be fined up to 4% of their global revenue. In addition to fines, breached companies may be required to pay significant compensation to affected users. A notable example is the $300 million (potentially rising to $425 million) compensation fund that Equifax was ordered to set up after they were found negligent in securing their customer data. 
  • Loss in customer confidence – Customers lose trust in companies that suffer cybersecurity breaches. Research shows that 83% of U.S. consumers would stop doing business with an affected firm for at least a few months while over 40% of U.K. customers said they would never do business with them again. Moreover, it costs more to gain new customers. These costs arise from the extra marketing spend needed to repair brand reputation and business model changes, such as increased product discounts or charging lower service rates.
  • Increased spending on IT security – Failing to build financial mobile app security into development processes creates a security debt that will need to be addressed later. In the case of an attack, extra security resources will have to be deployed to retroactively secure or decommission existing apps at a significantly greater cost than proactive DevSecOps.

What Can Fintech Companies Do To Protect Themselves

A significant discovery in our report is that nearly 75% of the high-severity threats found could have been mitigated with in-app protection technologies. To ensure that their apps are as secure as possible, financial organizations should deploy a number of best practices and application shielding strategies, including:

  • Cryptographic key protection
  • Code obfuscation
  • Anti-debugger protection
  • Jailbreak/rooting detection
  • Run-time application self-protection (RASP)
  • Build diversification

With the wide range of attack vectors and limited built-in protections, financial applications will continue to be a prime target for hackers. The business consequences of successful attacks far outweigh the cost of prevention through application shielding and a robust DevSecOps strategy.

Zimperium’s Mobile Application Protection Suite (MAPS) helps enterprises build safe and secure mobile apps resistant to attacks. It is the only unified solution that combines comprehensive app protection with centralized threat visibility. 

MAPS is comprised of four capabilities, each of which addresses a specific enterprise need:

  • zShield | Application Shielding –  Protects the source code, intellectual property (IP), and data from potential attacks like reverse engineering and code tampering.
  • zKeyBox | White-box Crypto Protection – Protects your secrets and keys so they cannot be discovered, extracted, or manipulated.
  • zScan | Application Security Testing (AST) –  Helps your mobile app development organization to discover and fix compliance, privacy, and security issues within the development process before you publicly release your apps;
  • zDefend | Runtime Application Self-Protection (RASP) – Help detect and defend against run-time exploitation and abuse from device, network, phishing, and malware.

Learn more about our Mobile Application Protection Suite here.

About Zimperium

Zimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based protection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against the device, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us today

Get started with your Zimperium trial today

Qualified organizations will try zIPS, Zimperium's mobile threat defense solution, for free and receive recommendations on how to immediately remediate issues and alleviate risks. This includes 3 steps:

[gravityform id="2" ajax="true"]