Popular fintech applications reveal valuable, exploitable secrets
According to Approov, 92% of the most popular banking and financial services apps contain easily copied secrets and vulnerabilities that allow attackers to steal consumer data and finances.
The Approov Mobile Threat Lab downloaded, decoded, and scanned the top 200 financial services apps from the Google Play Store in the US, UK, France, and Germany, examining a total of 650 unique apps.
92% of apps leaked valuable, exploitable secrets, and 23% of apps leaked highly sensitive secrets.
Security Vulnerabilities in Financial Services Applications
In addition to revealing secrets immediately, the investigations also identified two critical runtime attack surfaces that can be used to steal API keys at runtime. Only 5% of applications had adequate protection against runtime attacks that manipulate the device environment, and only 4% were well protected against Man-in-the-Middle (MitM) attacks at runtime.
“Have we all unknowingly become beta testers for financial services apps? Does this put our personal finances at risk? The constant news of violations shows that this is the case and it is unacceptable!” said Approov CEO Ted Miracco.
“This research shows that hard-coding sensitive data in mobile apps is widespread and a huge problem because secrets are easily extracted. A simple automated scan can show any threat actor how protected applications are at runtime. Unfortunately, financial applications fall short,” Miracco added.
Cryptographic applications are more likely to leak sensitive secrets
- None of the 650 applications “ticked all the boxes” for the three attack surfaces examined. All failed in at least one category.
- Only four applications had runtime protection against channel MitM attacks and man-in-the-device. All were payment and remittance apps, and none were in the US
- In general, apps installed in Europe were better protected than US-only apps, thanks to out-of-the-box encryption and runtime protection. This may be due to the tightening of European data protection rules and greater attention to security.
- Crypto apps were more likely to leak sensitive secrets, with 36% immediately offering highly sensitive secrets when scanned.
- Only 18% of personal finance apps have leaked sensitive information, likely because they are less dependent on sensitive APIs.
- For Man-in-the-Device attacks, traditional banks are twice as likely to be well-protected compared to other sectors, reflecting the use of wrappers and protection tools to protect against runtime manipulation.