The Facebook data breach grabbed recent headlines, reigniting public debate about social media privacy concerns. But it is actually finance apps that are the most vulnerable.  

According to a new report published by Intertrust—a pioneer of digital rights management (DRM) technology and a leading provider of application security solutions—around 80% of financial apps have at least one serious vulnerability that can lead to a breach of data.  

The 2021 State of Mobile Finance App Security Report is based on the analysis of 160 top publicly available mobile financial services apps from four major categories: banking, mobile payment, investment/trading, and lending.

The apps investigated originated in the United States, the United Kingdom, the European Union, Southeast Asia, and India.  

Talal Shamoon, CEO at Intertrust (Image source: LinkedIn)

The Silicon Valley-based company, led by CEO Talal Shamoon, says every app tested had at least one basic security issue, 88% had cryptographic issues, 81% can leak data, and 77% contained flaws that present high-level risks to finance organizations and their customers.

“Applications in all four finance categories displayed widespread insecure coding practices along with a general lack of application security controls and in-app technology protections, such as application shielding, runtime application self-protection (RASP), and white-box cryptographic key protection.”  

David Maher, chief technology officer and executive vice president at Intertrust, believes it is vital to understand the security risks associated with these apps and the ways to help mitigate them, as mobile finance apps increasingly enter people’s everyday lives.  

Surge in mobile finance use

Thanks to the coronavirus pandemic, finance app installs flourished in 2020, increasing by 15% compared to 2019. Users worldwide installed 4.6 billion finance apps and spent 16.3 billion hours in-app, up 45% from the previous year.

“Poor financial app security puts both financial organizations and their customers at risk, especially given the rise in cyberattacks over the course of the pandemic,” Maher added.

David Maher, CTO at Intertrust (Image source: Intertrust)
David Maher, CTO at Intertrust (Image source: Intertrust)

The report highlights that malware targeting mobile finance applications remains one of the fastest growing and rapidly-evolving cyber threats.

In 2020, 156,710 new mobile banking trojans were detected, more than doubling over the previous year.

Out of the four categories, banking apps were found to be considerably more vulnerable both in terms of total number of issues and severity—35% contained more than 10 vulnerabilities and 81% at least one critical or high severity issue.

Payment apps fared slightly better at 29% and 75%, respectively. Lending apps claimed the most secure spot, which Intertrust says could be partially attributed to their more limited functionality.

In its testing, Android apps had far more issues than iOS apps and significant variations were observed between geographies in app security levels, with UK finance apps containing far fewer security issues than apps from other regions.   

Prevention is key

The report notes that nearly three-fourths of high severity threats could have been mitigated using in-app protection.

“The vast majority of financial services apps (88%) have mishandled and/or weak encryption that puts them at risk for data theft. Key protection technologies such as white-box cryptography should be used to secure the encryption process,” it added, while emphasizing the importance of anti-tampering and runtime protections.

Intertrust also recommends that service providers follow basic secure app design practices, test regularly and follow a DevSecOps framework so that security is part of the development lifecycle, stay on top of the latest regulatory changes and security compliance requirements such as GDPR and PCI-DSS, and protect cryptographic keys.

The full Intertrust 2021 State of Mobile Finance App Security Report can be downloaded from here, and fintech organizations can find more information on mobile app security here.

Disclaimer: This article mentions a client of an Espacio portfolio company.