Research carried out by Pradeo Lab found that there were on average seven security flaws per app tested. The firm estimated that the flaws could put half a billion people who use the apps to carry out online banking at risk.
According to Clément Saad, founder and president of Pradeo, what was worrying is not only the number of establishments concerned, but also the number of techniques that worked when the company checked potential security approaches.
“We did not settle for a demonstration of the vulnerability of each application in front of a simple keylogger, but their weaknesses facing more than twenty threats. Not a single banking app successfully passed our exam, and on average, and each app was susceptible to seven breaches,” he said.
The firm said that criminals attack banking apps with many different goals: stealing passwords, spying into account behaviour, retrieving transaction validation codes to name just a few.
Saad said that while the implications of his company's findings are far-reaching, the priority is to equip banks with the right tools to beat cyber-criminals.
“We limited our study to 50 banks,” he said. “Chances are that apps from other banking establishments are also at risk and that consequently, the number of impacted users is potentially very significant. While there have not yet been any major security issues with banking apps, banks need to address these issues.”
Dave Levy, associate partner at Citihub Consulting, told SC Media UK that the base vulnerability is going to be the device operating system.
“Most popular phone operating systems are not as secure as server operating systems and they're usually full of useless bloatware that increases the attack surface,” he said.
“Applying formal controls and strong SDLC practices would help. Regulators such as the MAS has some interesting things to say about doing it properly. For instance, they mandate that the banks certify specific phones as platforms for their applications. These are all measures that we are learning to apply in the data centre.”
Lee Munson, security researcher at Comparitech.com, told SC that there are several reasons why banking apps may be susceptible to vulnerabilities, with the most obvious one being the implementation of poor coding practices from the outset.
“Beyond that, I would speculate that the next biggest factor could be cost – it is not unusual for some organisations to think the task is complete as soon as an app is in a state that allows a compliance check box to be ticked, even though that typically means the job is only half done,” he said.
“Lastly, we shouldn't forget that very few pieces of code are ever completely secure on day one and bugs and vulnerabilities come to light over a period of time. In the case of banking apps, there are more than the usual number of people trying to find the weak spots.”