More than three-fourths of mobile banking vulnerabilities can be exploited without physical access to the phone.
A new report from Positive Technologies has a number of sobering facts:
- 100 percent of mobile banking apps contain code vulnerabilities due to a lack of code obfuscation.
- NONE of the mobile banking apps tested had an acceptable level of protection
- Attackers can access user data on almost all tested apps
- In 13 out of 14 apps, hackers can access data from the client side
- Half of the banking apps studied were vulnerable to fraud and funds theft
- Hackers were able to steal user credentials from five out of seven banks tested
And the list goes on.
From the perspective of being a user of apps, this is a bit disconcerting.
From the point of view of being a company who may be developing apps, this is a bit of a wake-up call.
If you think about the amount of developer support that big banks have and they are still not developing secure apps, what does that mean for small to medium size companies that do not have that infrastructure?
As a user you are kind of dependent on the developers to do it right and it does not appear that the developers are doing such a good job at that. You can look at reviews, but that is of limited value.
If you are using the apps for your company, you can and should test the application’s security and if the app contains sensitive data or acts as an interface to sensitive data, that is probably not optional.
If you are writing apps or, just as importantly, paying others to write apps on your behalf, there are, at least, two things to do.
Make sure the development team has a well implemented secure software development lifecycle (SSDL) program. Don’t just trust the developers when they say sure, we do. Verify that. If you need help either developing or testing a secure software development lifecycle, give us a call.
Second, if you are not already conducting application penetration tests for every major release of applications that you develop or have developed for you, you need to start doing that. Yes, that costs money. But so does having a breach. If your app accesses data of California residents, remember that they can now sue you for $750 per record compromised without showing that they were damaged.
A 1,000 record breach equals a $750,000 liability. Not counting attorney’s fees and reputation damage. You can do a lot of testing for that amount. 1,000 records is a tiny breach. You are not Capital One, but their breach exposed 105 million records. You do the math.
The maturity level of developing apps today is similar to the maturity level of developing web software in around the year 2000. That alone should scare you.
Some questions you can ask your development team:
- Do you have a dedicated software testing staff?
- Are they trained to test software for SECURITY FLAWS or only for functionality?
- Are you using automated testing tools?
- Are your developers trained to develop software securely?
- Does the development team have a security development manual? Something that is written down and part of their business process?
- Who signs off on the security of apps before release? What is their security expertise?
The evidence is that app security is not so great. What are you doing to improve it? Credit: SC Magazine