Popular fintech apps reveal valuable, exploitable secrets
92% of the most popular banking and financial services apps contain secrets and easy-to-extract vulnerabilities that could allow attackers to steal consumer data and finances, according to Approov.
Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the US, UK, France and Germany from the Google Play Store, examining a total of 650 unique apps.
92% of apps leaked valuable, exploitable secrets and 23% of apps leaked extremely sensitive secrets.
Vulnerabilities in financial services apps
In addition to revealing secrets immediately, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime. Only 5% of apps had good defenses against runtime attacks that manipulated the device environment, and only 4% were well protected against runtime Man-in-the-Middle (MitM) attacks.
“Have we all unwittingly become beta testers for financial services apps? Does this put our private finances at risk? Continuous news of breaches seems to indicate that this is the case and it is unacceptable!” said Approov CEO Ted Miracco.
“This research shows that hard-coding of sensitive data in mobile apps is widespread and a huge problem as secrets can be easily extracted. A simple automated scan can show any threat actor how well-protected apps are running. Unfortunately, financial apps fall short,” added Miracco to.
Crypto apps are more likely to leak sensitive secrets
- None of the 650 apps “checked the box” when it comes to the three attack surfaces examined. All failed in at least one category.
- Only four apps had runtime protection against channel MitM attacks and “man-in-the-device.” All were payment and transfer apps, and none were in the US
- In general, apps distributed in Europe were better protected than apps available only in the US, for immediate covert exposure and runtime protection. This may be due to stricter privacy rules in Europe and more focus on security.
- Crypto apps were more likely to leak sensitive secrets as 36% immediately offered highly sensitive secrets when scanned.
- Only 18% of personal finance apps leaked sensitive information, possibly because they rely less on sensitive APIs.
- For Man-in-the-Device attacks, traditional banks are twice as likely to be well protected compared to other sectors, reflecting the use of wrappers and protectors to protect against runtime manipulation.