Security vulnerabilities are common in bank mobile apps

Social distancing and pandemic lockdowns have pushed how we work, learn, and interact into the online world. Society quickly adapted to the new reality, making traditionally in-person resources accessible virtually. As a result, we’re seeing a culture increasingly reliant on mobile applications to conduct day-to-day activities.

The Synopsys Cybersecurity Research Center (CyRC) set out to examine the state of application security in such an increasingly app-driven world.

Upon analyzing well over 3,000 popular Android mobile apps to assess the state of mobile application security during the COVID-19 pandemic, the study targeted the most downloaded and highest grossing applications across 18 categories, many of which have seen explosive growth.

Sign up for the free BAI Banking Strategies newsletter and get industry insights delivered to your inbox.

The CyRC research focused on three core areas of mobile application security:

  • Vulnerabilities: The presence of known software vulnerabilities in the applications’ open source components
  • Information leakage: Sensitive data such as private keys, tokens and passwords exposed in the application code
  • Mobile device permissions: Applications requiring excessive access to mobile device data and features

The analysis revealed that the majority of apps contain open-source components with known security vulnerabilities. It also highlighted other pervasive security concerns including myriad potentially sensitive data exposed in the application code and the use of excessive mobile device permissions.

The most dramatic findings emerged from examining known vulnerabilities in financial and banking applications.

Of the 107 banking applications scanned, 94 contained at least one vulnerability—that’s 88 percent, well above the overall average of 63 percent. Given a total of 5,179 vulnerabilities identified, banking applications on average contained 55 vulnerabilities. Financial applications require some of the most personally sensitive data, making these numbers alarming due to the potential impact of a security breach.

Another troubling discovery the CyRC research uncovered is that banking application vulnerabilities are in the top three categories for the highest number of fixable and non-fixable vulnerabilities. In this context, “fixable” means that application developers can use a newer version of a software component – one that does not have the known vulnerabilities of the older version. “Non-fixable” simply means that a newer, fixed version of the component is not yet available.

There’s much at stake when it comes to financial data; we trust sensitive personal information to these apps. Some development teams are simply unaware that the components they have used accrue vulnerabilities over time.

By using software composition analysis (SCA) to point them toward available solutions, developers could easily knock out almost 40 percent of the vulnerabilities found in this study. For example, an SCA solution would identify the components (known as a bill of materials) used in an app and list the associated known vulnerabilities. Just by refreshing components to their latest versions, developers could improve the security stance of their app.

By prioritizing vulnerabilities and spending valuable resources on the most pressing and potentially dangerous vulnerabilities, developers could optimize their time in closing security gaps.

For consumers, this report highlights the jarring reality that even the most popular mobile apps are not immune to security and privacy weaknesses and should not be trusted implicitly. Unfortunately, consumers do not have a good way to evaluate the security of apps; they trust the app store to protect them from malicious code. As always, common sense and skepticism are a consumer’s best weapons. Is the convenience of an app worth the risk of installing it?

The only way apps get better is when they are built better. For the banking industry, this report should be viewed as a wake-up call. The results clearly show that many development teams are unaware of the known vulnerabilities in the components they use or do not have a mechanism in place to address them. SCA is the tool that solves this problem.

But the whole story is much bigger than SCA. More secure, better applications can only be created when security is part of every phase of development, from design through implementation, testing, and maintenance. Threat modeling during design helps mitigate design weaknesses, while SCA, source analysis and various kinds of dynamic testing help eliminate code weaknesses as an integral part of application development.

Jonathan Knudsen is a senior security strategist at Synopsys.