Mobile app security testing of the apps of the 50 of the top global banks claims that all 50 are vulnerable to mobile attacks.
The research, from Pradeo Lab, states that there were, on average, seven flaws per app found from mobile app security testing, affecting up to half a billion people who use the apps for mobile banking and payments.
The nature and severity of the vulnerabilities is unclear, with the founder of Pradeo, Clément Saad, stating that number of possible attacks was high and that each app was open to a potential seven breaches and that none succeeded in passing Pradeo’s “exam”. With no further information it’s uncertain whether these are low level security issues, such as hardware permissions issues, or more serious problems such as potential SQL injections or exposed data.
This research is something of a surprise, as we’ve often seen that it’s the case that tier 1 banks release robust and secure mobile apps. This is in part due to their experience with securing the technological infrastructure and the depth of knowledge and expertise of their security teams, as well as their willingness to admit to risk and compliance requirements.
Still it may be the case that the apps the banks are releasing are susceptible to OS level or device specific problems. There may be a future argument for banks to request that their customers use specific devices that meet their own security standards.
In addition, these vulnerabilities may be regressions that are creeping in over numerous releases after a secure version 1.0 is released. One of the problems for mobile app security testing is that the traditional penetration testing paradigm is an awkward fit. With multiple releases and updates each month that focus on making the app easier to use for the consumer there’s no time for a complete series of penetration tests across the client side and backend.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.