The recent $81 million hack of the Bangladesh central bank through the SWIFT financial platform and research from an Indian security researcher showing how to empty a bank’s accounts through mobile app flaws illustrates the need for mobile app security testing in for banks and financial institutions.
This problem stems from a high number of critical vulnerabilities in these apps as shown by research on the 100 most downloaded finance and health apps demonstrating that 90% had a minimum of two OWASP Mobile Top 10. These apps contain a lot of binary logic that helps hackers understand a bank’s back-end infrastructure, including the APIs that link to the bank’s servers. As with the examples above attackers are able to move within a bank’s system to steal millions of dollars. This illustrates a complete neglect of secure mobile development and mobile app security testing.
Measures from Google and Apple such as DRM, sandboxes and code signing are still vulnerable to device rooting allowing attackers to penetrate and reverse-engineer mobile apps leaving mobile apps as a dangerous threat vector.
Mobile app security testing needs to be the focus for stakeholders at banks and financial institutions, it is a problem that devs, security chiefs and the board need to face up to. Some basic security practices to put in place are
Third party libraries
The approach of developers to use third party libraries from sites such as Github, Stackoverflow et al is risky due to being uncertain of who the developer is or their level of skill. This copy pasta coding approach is very dangerous and needs to be mitigated with code reviews and ensuring that any third party repos are up to date and secure.
Security at the foundation of development
Mobile app security testing and writing secure code needs to be at the heart of the development process. This requires devs and stakeholders to understand and counter the risks, this goes beyond a single penetration test before release. Mobile app security testing needs to be a part of the development process and the ongoing lifecycle of the app.
Third party risk
Outside vendors and third-party developers expose corporations to a high degree of risk. Any third party involvement needs to diligently checked and their own security policies need to made clear as well.
Codified Security Instant will help you to secure your mobile banking app against OWASP and PCI security standards, with mobile app security testing and Continuous Monitoring. To find out whether there are serious security flaws in your app please sign up to Codified Security.