2086643318_870280d021_b

Praetorian Study Reveals 8 out of 10 Mobile Banking Apps Have Security Flaws

January 22, 2024         By: Gregory Sweet

A report released last month by Praetorian, a leading information security provider, details the challenges faced by today’s banking institutions while building and maintaining secure mobile banking apps.

The study reveals repeated build and configuration weaknesses in the majority of banking apps available from the App Store and the Google Play store. While cursory, the results indicate a need for improved mobile application security as payment solutions coincide with the advancement of mobile technology.

Praetorian’s key findings

  1. Build and configuration weaknesses have been identified in 8 out of 10 mobile banking apps.
  2. A security gradient exists between megabanks, regional banks, and credit unions.
  3. Results may suggest finite development cycles or limited maintenance in mobile banking apps.

A total of 275 mobile banking apps offered by the top 50 financial organizations, 50 largest regional banks, and 50 largest U.S. credit unions were included in the study.

The apps were analyzed by Praetorian’s Project Neptune, a new mobile application security testing platform. Paul Jauregui, VP of Marketing at Praetorian, explains Project Neptune’s originations, “We wanted to focus our attention on a large set of mobile apps that were being developed in an industry vertical that has historically invested in security. The banking industry was a natural fit.”

Project Neptune covers build management, configuration management, authentication, authorization, session and token management, data validation, data confidentiality, error and exception handling, and auditing and logging.

Stephen Morrow is a Principal Security Consultant at SQS (Software Quality Systems). SQS has over 30 years of providing solutions for all aspects of software quality.

He explains the majority of mobile software involved in the study has configurations issues that make it weak and vulnerable to attack or misuse, “In terms of security for mobile applications, poor build and configuration management refers to practices and settings that result in the software not being secure when deployed to a device.”

Stephen notes such deficiencies are not unique to banking applications, “Weaknesses in build and configuration management are not new and we still see this problem with other types of applications so it is no surprise to see them in mobile banking applications.”

Bigger Always Better?

Analysis of the findings confirms that larger banks are quick to adopt security technology, in-source development efforts, and maintain mobile development projects over time.

On the other hand, smaller regional banks and credit unions tend to reactively adopt new security technology, outsource development efforts, and maintain finite development cycles.

When asked if bigger banks have the upper hand in mobile banking Stephen notes, “I think it is too much of a generalization to say that bigger banks have more secure banking applications but it is evident that they have invested more on application security initiatives and are more mature in their approach to managing ongoing security requirements.”

The manner in which mobile applications are developed may also contribute to their level of security. Paul notes many credit unions tend to outsource their banking app development to third parties. Frequently the third party’s top priority is on rolling out the application to satisfy customer demand. Results show a continual lack of maintenance over time because in most cases the relationship between credit union and third party dissipates once the app is finished.

Importance of Ongoing Maintenance

Praetorian’s study emphasizes that incremental and rapid release cycles are driving the need for continuous and on-demand security evaluation to help address unique challenges encountered while building and maintaining secure mobile applications.

Stephen details how routine updates are necessary to guard against vulnerabilities and attacks, “If an application is said to be secure today, it doesn’t mean it will be secure tomorrow and as a result ongoing security verification and maintenance should be a mandatory part of the applications lifecycle.”

While acknowledging that smaller financial institutions should take more care in their mobile application upkeep, Stephen believes that all organizations are playing catch-up in ensuring necessary security controls and countermeasures for securing mobile applications are built into their software releases.

Stephen also points out that while ongoing assessments are fundamental, addressing security requirements require a “holistic” but measured approach that is aligned with business risk, “It’s true that each time code is changed there is potential for new security issues to be introduced and organizations need to find a way to detect these to manage the security risks associated with their software development efforts.

At SQS we believe that security should be built-in to the software development lifecycle which enables organizations who are building software to proactively deliver on the security requirements of all types of software.”

Both Paul and Stephen agree that the identified security deficiencies should not exist in today’s app marketplace. For example, Paul notes the absence of Automatic Reference Counting(ARC) which was introduced in the App Store two years ago is striking, “There is really no reason for not using it in today’s available applications.”

Stephen remarked that the issues identified in the study are well known and should have been accounted for during the development of the applications, “Discovering their existence means that they can be resolved but it also means that there is a gap in the acceptance, release and maintenance processes which allows the software to be made available to the public.”

Bright Future for Neptune

Since the release of the study, Praetorian has received increased interest in Project Neptune. Paul reports there is a beta version being tested and a number of the same banks involved in the December 2013 study have already enrolled in beta. “There will likely be many following studies involving mobile payments. It’s a natural fit with Neptune.

Many of the mobile payment apps are freely accessible via the various mobile marketplaces, and Project Neptune makes it easy to run security tests on several hundred apps in a matter of minutes,” he explained.

Praetorian plans to open up their internal tools for anyone to assess their own apps for the same build and configuration weaknesses. Paul notes it would be interesting to run the same mobile banking apps through Project Neptune in the near to see which institutions are evolving over time.

 

 

 

Paul Jauregui

Vice President, Marketing at Praetorian

 

Paul oversees the planning, development, and execution of Praetorian’s marketing and advertising activities. He is responsible for all aspects of Praetorian’s marketing, branding, communications and demand generation. In his role, he drives initiatives that support the company’s accelerated growth grounded in providing products and services that help the world’s leading companies achieve risk management success.

 

 

Stephen Morrow

Principal Security Consultant, SQS Group Limited

Stephen is a specialist in secure application design, development and testing, and has full lifecycle security and development experience in a variety of major Information Technology projects across the financial, private and public sectors. He is responsible for leading SQS’ security testing practice and defining SQS security testing methodologies.