iOS Banking Apps Security Posture - Improved but Problems Still Exists

iOS banking apps security posture improve from 2013 but problems still remain 

A well-known Security consultant recently stated that the security of mobile banking apps has improved over the last two years but there’s still scope for improvement. The research covered 30+ mobile banking apps for iOS in use around the world confining only for client side security weaknesses or vulnerabilities and didn’t include any server-side testing. His findings are an eye-opener:- 
 
  • 5 apps failed to validate the authenticity of the SSL certificates, making them susceptible to Man-in-The-Middle (MiTM) attacks.
  • 35% of the apps contained non-SSL links throughout the application, allowing an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or attempt similar scams.
  • 30% of the apps failed to validate incoming data. leaving them potentially vulnerable to JavaScript injections. 
  • 15% of the apps store unencrypted and sensitive information, such as details about customers’ banking accounts and transaction history, in the file system via sqlite databases or other plaintext files.
  • Most apps rely simply on username and password for authentication. Only 40% of the apps provided alternative authentication solutions to mitigate the risk of leaking user credentials and impersonal attacks.
One improvement noticeable across all apps was that of increased transport security of the data by properly validating SSL certificates or removing plaintext traffic helping to mitigate the risk of users being exposed to MiTM attacks
 
The conclusion was that although security has increased over the past couple of years, still many apps still remain vulnerable.
Authored by Hussain Ali Ladha
Rate this article: 
0
No votes yet
Article category: 
Keywords: