Popular fintech apps reveal valuable, exploitable secrets

by · March 5, 2023

Popular fintech apps reveal valuable, exploitable secrets

92% of the most popular banking and financial services apps contain secrets and easy-to-extract vulnerabilities that could allow attackers to steal consumer data and finances, according to Approov.

vulnerabilities in financial services apps

Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the US, UK, France and Germany from the Google Play Store, examining a total of 650 unique apps.

92% of apps leaked valuable, exploitable secrets and 23% of apps leaked extremely sensitive secrets.

Vulnerabilities in financial services apps

In addition to revealing secrets immediately, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime. Only 5% of apps had good defenses against runtime attacks that manipulated the device environment, and only 4% were well protected against runtime Man-in-the-Middle (MitM) attacks.

“Have we all unwittingly become beta testers for financial services apps? Does this put our private finances at risk? Continuous news of breaches seems to indicate that this is the case and it is unacceptable!” said Approov CEO Ted Miracco.

“This research shows that hard-coding of sensitive data in mobile apps is widespread and a huge problem as secrets can be easily extracted. A simple automated scan can show any threat actor how well-protected apps are running. Unfortunately, financial apps fall short,” added Miracco to.

Crypto apps are more likely to leak sensitive secrets

  • None of the 650 apps “checked the box” when it comes to the three attack surfaces examined. All failed in at least one category.
  • Only four apps had runtime protection against channel MitM attacks and “man-in-the-device.” All were payment and transfer apps, and none were in the US
  • In general, apps distributed in Europe were better protected than apps available only in the US, for immediate covert exposure and runtime protection. This may be due to stricter privacy rules in Europe and more focus on security.
  • Crypto apps were more likely to leak sensitive secrets as 36% immediately offered highly sensitive secrets when scanned.
  • Only 18% of personal finance apps leaked sensitive information, possibly because they rely less on sensitive APIs.
  • For Man-in-the-Device attacks, traditional banks are twice as likely to be well protected compared to other sectors, reflecting the use of wrappers and protectors to protect against runtime manipulation.
See also  UK Fintech News Roundup: The Latest Stories 22/02

Related posts:

  1. Rivonia Road Capital Gives $50 Million To Innovative Seller Fintech Tandym | Business
  2. Pennsylvania Community Bank is partnering with Fintech to digitize all aspects of commercial lending
  3. Cashfree Payments launches ‘issuance’ platform for fintech firms
  4. China’s crackdown on Ant and other tech giants is “basically” over, the top official says

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Headline Posts