Vast majority of mobile financial apps are vulnerable to data theft: Intertrust report

It makes no sense to have all the doors and windows of a house fitted with secure locks and leave the front door key under the doormat.

But this is exactly what is happening in the digital world, with a new report finding that the vast majority of financial services apps have at least one significant encryption-related vulnerability that puts them at risk for data theft.

The 2021 State of Mobile Finance App Security Report by Intertrust—a Silicon Valley-based provider of trusted computing products and services—indicate that these cryptographic issues include exposed encryption keys, poor implementation of cryptographic algorithms, insufficient key size, and failure to securely encrypt the communication of sensitive data.

Its analysis of 160 popular finance apps worldwide from four major categories—namely banking, mobile payment, investment and trading, and lending—revealed that 81% can leak data and 77% contained flaws that present high-level risks to finance organizations and their customers.

The report also says 49% of payment apps are vulnerable to encryption key extraction and that banking apps contain more vulnerabilities than any other type of finance app.

“Banking apps proved to be significantly more vulnerable both in terms of total number of issues and severity—35% contained more than 10 vulnerabilities and 81% at least one critical or high severity issue. Payment apps fared only slightly better at 29% and 75%, respectively. Lending apps claimed the most secure spot, possibly because of their more limited functionality.”

These security gaps are a major source of concern given that time spent in finance apps increased by 45% in the coronavirus-hit year of 2020, activity in investment apps increased by 88%, and mobile wallet point-of-sale transactions picked up by 19.5%, helped by higher limits for contactless payments.

“One of the disturbing findings of our security assessments is that a large number of the apps tested either do not have any type of encryption or do not have the strongest levels of encryption, which is similar to having locks all around the house and hiding the master key under the doormat,” Prateek Panda, head of product marketing and growth at Intertrust, told The Sociable.

Their study of the apps, which all originated in the United States, the United Kingdom, the European Union, Southeast Asia, and India, suggests that nearly 75% of high severity threats could have been mitigated using in-app protection.

“Encryption is important, but it has to be implemented in a way where it’s not easy to decrypt it,” Prateek said, lamenting that many service providers are knowingly compromising security for reasons such as launching the app in a shorter time frame or making it run faster.

Citing a Verizon survey, the Intertrust report highlights that a large number of organizations compromise mobile security to meet a deadline or productivity target.

Additional layers of security

Prateek acknowledges that there will always be a level of compromise and that there is no such thing as a “100% secure” app because new security issues arise every day. However, he says additional layers of security can be built to mitigate vulnerabilities and risk.

“One of the main steps to take is to follow a DevSecOps framework so that security is part of the development lifecycle,” he said, referring to a set of practices that automates the integration of security at every phase of the software development—from initial design through integration, testing, deployment, and software delivery.

Emphasizing that security cannot be an afterthought, Prateek added that every app needs to develop some kind of “self-defense capability”.

Using a COVID-19 analogy, he said, “It was a virus that nobody knew anything about. But although we don’t have the exact medicine for it yet, we might become more resistant to it if we strengthen our immune system. The same is true for these apps. There’s a lot of unknown security issues out there, and the best way to prevent damage is to adopt in-app protection solutions.”

According to the 2021 State of Mobile Finance App Security Report, both iOS and Android rank in the top ten most vulnerable operating systems for total number of distinct vulnerabilities.

“In our testing, Android apps had far more issues than iOS apps. On a per app basis, nearly every Android finance app (97.5%) had more than five security flaws compared to around 30% of iOS apps. When looking at severity level, however, the gap narrows. Approximately 84% of Android finance apps contained at least one critical or high severity vulnerability versus 70% of iOS apps,” Intertrust wrote.

Government regulations, users

Prateek maintains that government regulations can play an important role in making apps more secure. “They’re not enough but are a good starting point.”

The company’s analysis showed that UK finance apps contained far fewer security issues than apps from other regions—only 7% had more than 10 vulnerabilities compared to 38% of apps in India and Southeast Asia, 29% of apps from the EU, and 19% of U.S. finance apps.

The head of product marketing and growth at Intertrust attributes that partially to strict financial services security and data privacy regulations in the country, which pushes app developers and organizations to take app defense more seriously.

Prateek added that users are an indispensable part of the equation and should help protect their privacy by taking measures as simple as downloading applications only from official app stores, refusing to send sensitive information through text message or similar channels, and reporting suspicious activities.

“I also believe we, as members of society, should be more proactive about what’s happening and demand more privacy and security from our banks and other service providers. If consumers are more vocal about this issue, businesses will feel pressured to take it more seriously,” he said.

Disclaimer: This article mentions a client of an Espacio portfolio company.