As with most industries, the world of finance has been given a severe shakeup thanks to digitisation and the proliferation of mobile devices. More and more of us are making payments and doing our banking using apps on mobile devices.
Arxan Technologies conducted a survey that looked at how secure a number of popular mobile finance apps are, and whether they are vulnerable to the Open Web Application Security Project (OWASP) Mobile Top 10 Risks.
The firm also asked both executives making the apps and consumers how secure they felt the applications are.
1. Every finance app tested contained vulnerabilities
The reality is a long way from the perception though. Every mobile finance app that was tested was shown to be vulnerable to both code tampering and reverse engineering, meaning that all the top mobile banking and payment apps that Arxan tested had at least one vulnerability that is in the OWASP top 10.
Patrick Kehoe, chief marketing officer at Arxan, thinks that firms should "at a minimum address the entire top 10."
The most common vulnerabilities found were lack of binary protection and insufficient transport layer protection
2. But apps are still widely believed to be secure
Both consumers and executives at app companies think their health and finance mobile apps are safe. In total 84 per cent of app users and app executives believe their apps are "adequately secure", and 63 per cent of think that those making the apps are doing "everything they can" to protect them.
Stephen McCarney, the marketing director at Axran, told CBR; "It’s a matter of whether these institutions realise how vulnerable their apps are.
He said: " IT executives, these application executives who have insight or oversight over the mobile finance apps that they are generating and putting out into the market place, the vast majority believe they are adequately secure, and many also believe that they are doing everything they can to protect their endusers."
3. Executives think the App Store keeps them safe… But there are a greater number vulnerabilities on iOS than Android
The sandboxed nature of the app store and iOS devices has lulled some people into a false sense of security, meaning they are not making their apps safe enough.
However, there were a greater number of unaddressed vulnerabilities on iOS than there were in Android, despite the fact that Android apps and the Android operating system are normally regarded as being more vulnerable.
"Some people just assume that the security controls that are in the app store, and inherent from the iOS phone are strong enough and they might not need to focus as much on protecting the app itself" said McCarney.
Every single one of the iOS finance apps tested had at least 3 of the OWASP top 10 risks, while 59 per cent of mobile finance apps on Android that were tested had that number of vulnerabilities.
This is not to say that the risks are more severe on iOS though, just more numerous. Kehoe said that "it is important to understand that the iOS operating system has a more robust security controls than Android does today."
4. Speed is beating security
The finance sector is not known for being particularly nimble or agile, but firms are realising that they increasingly have to get usable apps to market as speedily as possible. This means that they do not always prioritise security. "Speed is trumping security" warned McCarney.
"With the advancement rapidly towards mobile, IoT these developers generally speaking are pressed to move very very quickly, and unfortunately what’s happening is security tends to, still, today, takae a bit of a back seat. "
That’s not say that security is being ignored by all finance app makers. "In the case of banking apps…they are absolutely taking select security measures", said Kehoe.
5. These problems could be fixed…if firms took them seriously
While the stats make pretty gruesome reading, all hope is not lost, and specific action could improved the situation before apps are released to the public.
For example, to tackle the issue of binary layer protection "you can insert guards into the application code so there’s a level of runtime layer self-protection, that would help detect malicious attacks and things like that and really protect the integrity and confidentiality of the application," said McCarney.
However, he said for this to happen firms are going to have to take this issue seriously, and start spending money.
"It just needs to be elevated up so that the industry and executives that are building these apps understand the risks, that they are real, and also they need to start investing more heavily."