Consumers are rapidly embracing mobile banking options, but, as financial institutions roll out apps to meet demand, many are falling short on some software security counts, according to a recent report from security firm Praetorian. According to the study – which tested 275 apps from the top 50 financial institutions, 50 of the largest regional banks and 50 of the largest credit unions – eight out of 10 mobile banking applications contain some type of configuration or design flaw that could place them at risk.
Although the report didn’t highlight how individual apps fared, some of the major banks whose apps were part of the study included Bank of America, JP Morgan Chase, Citigroup, Wells Fargo and Goldman Sachs. The types of weaknesses the company looked for were not necessarily outright software vulnerabilities – researchers told Dark Reading they would have needed additional permission to search for issues such as SQL injection flaws – but rather relatively low-risk issues that could be exploited.
These included the lack of basic mitigation functions for iOS apps like enabling Automatic Reference Counting, a memory management tool, Position Independent Executable, a feature for preventing buffer overflows, stack protection to safeguard against stack smashing and address space layout randomization, Dark Reading reported. Additionally, many Android-based mobile banking apps were targeted toward outdated software development kits and had the debugging function enabled. Many also were found to be overusing permissions.
“These aren’t business-logic or application-specific issues. They are weaknesses across the mobile apps – things developers should be doing” but they are not, Nathan Sportsman, founder and CEO of Praetorian, told Dark Reading.
Understanding the weaknesses
The testing was done on apps as downloaded from the Apple App Store and Google Marketplace, and it therefore was confined to the user-side app interface, rather than the back end system. Nonetheless, the number of issues discovered was substantial. In general, major financial institutions fared better than regional ones and credit unions, but the difference was not enormous. In total, the study found 108 configuration weaknesses in credit union apps, 97 in those of regional banks and 75 among the “megabanks.”
One of the reasons highlighted for the discrepancy is the tendency of larger institutions to use in-house development teams, while smaller banks tend to outsource development, the study noted. Additionally, national banks tend to be at the forefront of security practices already, and they invest more in ongoing maintenance, while regional banks tend to adopt new security measures retroactively and, when outsourcing product development, treat the application as more or less complete upon delivery.
“The way in which mobile applications were developed may have directly contributed to the outcomes of the study,” the report stated.
Considerations for developers
According to the Pew Research Center, the percentage of U.S. adults using mobile banking grew from 24 percent in 2012 to 35 percent in 2013. Another report from NSS labs anticipates 70 percent growth in the year ahead, Dark Reading noted. Concurrent with that rise is an increase in risk. Desktop banking Trojans such as Citadel have been modified for mobile ecosystems, and a number of fraudulent banking apps intending to deceive consumers have spread into the Android app stores, a recent BankTech article reported.
With increased focus on mobile security, developers have a responsibility to avoid the types of design issues and configuration oversights in apps, Sportsman told Dark Reading. At the same time, developers are under pressure to roll out apps quickly as mobile banking use grows, which can be a factor in poor design. And balancing security with ease of use and accessibility for customers can be a major challenge as well, BankTech contributor Gary McIlraith noted.
“Users have access to everything, all of the time,” he wrote. “This often means putting rapid access and slick delivery ahead of security, with app development often falling prey to this mindset.”
Given the pressures facing the development of mobile banking apps, developers can benefit from using tools that help them quickly scan for security and configuration oversights, such as static analysis software. As mobile banking software security becomes an increasingly important issue, the onus is on developers to adopt more secure methods in their build process.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.