Most US Banking Apps Have Security Flaws, Says Research

Most of the apps of top U.S. banks have security issues that put user data at risk, according to a report by Zimperium, a security firm.

The researchers downloaded the iOS and Android apps of banks and scanned for issues on security and privacy issues, including data leaks, which may put private user information and communications at risk. They found that most of the apps had flaws, such as failing to adhere to best programming practices and using old open-source libraries that they don’t update frequently.

Scott King, director of embedded security for Zimperium, said some of the app developers were using open-source codes from GitHub from over three years ago.  Worse, over half of the apps are sharing customer data with a minimum of one advertiser, the researchers said. They did not name the banks.

In their findings, they said that one of the worst offending iOS apps scored 86 out of 100 on the risk scale for various privacy lapses, including communicating over an unencrypted HTTP connection. The same app was vulnerable to two prevalent remote bugs as early as 2015.

The researchers also said the risk scores for the bank’s corresponding Android apps were higher, with two of the apps had a risk score of 82 out of 100. Both apps were storing data in an insecure manner, allowing third-party apps to access and recover confidential data on a rooted device, King said.

Earlier this year, cybersecurity advisory firm Aite Group found in its research that security flaws in the mobile apps of some 30 financial services providers were putting these institutions and their customers at risk.

The firm has uncovered widespread security deficiencies among the apps leading to the exposure of source code, personal information, access to backend systems, and account credentials. Aside from insecure data storage, they discovered a lack of binary protections, unintended data leakage, and weak encryption as crucial vulnerabilities.