How secure are mobile banking apps? Many individuals and organizations already trust smartphones to perform critical tasks such as reading email, working with corporate documents and conducting multi-factor authentication, so managing bank accounts would seem to be just another part of the mobile workflow.
On the surface, mobile banking offers greater convenience than having to travel to a brick-and-mortar branch or access a cumbersome desktop site. But ease of use is only part of the story, since these apps are often not fully secured and may expose users to unnecessary levels of risk.
Financial institutions have been quick to provide mobile options to customers, yet slow to craft truly safe experiences, with many offerings far from the cutting-edge when it comes to utilizing native security features in mobile operating systems. Large banks have been better than their smaller counterparts on this front, but there’s room for improvement across the board.
With mobile banking taking off among consumers, banks and credit unions must become more serious about plugging these security gaps and creating software optimized for mobile platforms. Doing so will not only protect sensitive data but also foster a better user experience.
Tests reveal deep flaws in banking apps, even from major financial institutions
A recent study examined nearly 300 mobile banking apps for iOS and Android created by large regional banks, credit unions and major financial providers such as Bank of America, Wells Fargo and Morgan Stanley. Eighty percent of the tested apps were improperly configured and not optimized for security and performance.
The issues cut across institutions of all types and sizes, suggesting that developers in general may not be doing enough to secure their software from threats. For example, many mobile banking apps are not natively coded, instead being written mostly in simplifed HTML, and they do not utilize advanced features such as in-app browsers, geolocation and/or encryption.
“Most banks began offering mobile services with a simple redirect to a mobile site (with limited functionality) upon detection of the smartphone HTTP headers,” wrote Ken Baylor of NSS Reports in his report on mobile financial malware. “Others created mobile apps with HTML wrappers for a better user experience and more functionality. As yet, only a few have built secure native apps for each platform.”
The testing procedures were limited to apps and did not encompass the databases and servers that perform the bulk of mobile banking operations. Researchers discovered that many iOS apps did not take advantage of stack protection or Position Independent Executable, which protect against stack smashing and buffer overflows. Many prominent exploits, such as the Twilight Princess hack for the Nintendo Wii and the pioneering Morris Worm from 1988, have utilized stack smashing to pave the way for arbitrary code execution.
Mmany banks were utilizing an outdated version of the Android SDK and had not implemented permissions hardening. Developers may be leaving out these features and/or settling for older, more familiar tools in their rush to market.
Fortunately, these issues are fixable, since the necessary security resources are already available, but banks and developers must change their approaches. Features must be reevaluated regularly and brought in line with the respective security amenities of each platform.
Santander mobile app updates shows how to address risks
Financial services provider Santander’s recent security troubles demonstrate the variety of risks that banks face when creating consumer-facing software, as well as the proper measures that they should take to mitigate these threats. The organization, which recently acquired Sovereign Bank and has nearly 2 million customers, identified and resolved several vulnerabilities in its apps.
The mobile app was susceptible to man-in-the-middle attacks that could scrape user credentials. Using the debugging tool Fiddler, a researcher generated a fake SSL certificate that Santander’s apps did not catch, enabling him to log in without having to know the proper credentials.
The Web app supported the outdated RC4 encryption algorithm, yet had not implemented several baseline SSL protocols such as Forward Secrecy and Strict Transport Security. It may also have been hashing passwords improperly, as demonstrated by its 50-character limit on passwords as well as its use of plaintext email for password resets.
Santander moved quickly, removing RC4 support and closing the insecure session negotiation loophole within 72 hours of the revelation. However, the vulnerable Android apps were still available in Google Play as of Dec. 31.
Fixing mobile banking apps to better serve customers
Santander’s swift reaction provides a blueprint for financial institutions seeking to improve application security. The onus is on banks and credit unions to step up and protect customers – mobile banking has too much promise to be abandoned because of fixable issues.
Many of the fundamental flaws in mobile and Web banking apps have been identified but still need to be addressed. In addition to code-related issues, researchers have pointed out that too many banks rely on one-time SMS codes for two-factor authentication. More specifically, a bank may offer customers the two-factor authentication for more security, requiring them to enter the code in addition to their standard usernames and passwords.
While such a strategy is designed to improve security by preventing unauthorized access, it has come under pressure from desktop and Android malware. A compromised Web app may ask users to enter their phone numbers so that it can send links to malware to their devices. If installed, the malware creates one-time codes and allows recipients to access the original accounts. SpyEye, Citadel and Zeus are prominent examples of financial malware that uses desktop and mobile components in tandem.
Banks have many options for bolstering mobile and Web app security. The NSS Labs report recommended unique install keys, device fingerprinting and certificate-based identification as a few of the steps they could take to create secure native experiences on mobile. The stakes for doing so are high, with a Pew Research Center report indicating that 35 percent of U.S. adults use mobile banking.