Explore the Latest in Tech Innovations

Please enable JavaScript in your browser to complete this form.
Name

92% of Google Play Store’s 650 Most Popular Fintech Apps Expose Exploitable Secrets

Mar 3, 2023 | News

SOURCE: Approov

New analysis from Approov show that ninety two percent of the most popular banking and financial services apps on the Google Play Store contain easy-to-extract secrets (such as API keys), which could be used by cyber attackers in scripts and bots to steal data, devastating consumers and the institutions they trust.

The study “Mobile App Security Report – Exposing the Security Vulnerabilities of Top Finance Apps” (link is at bottom) summarizes the work of the Approov Mobile Threat Lab. The team downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany, investigating a total of 650 unique apps.

Only 5% of the apps examined had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time. As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime.

“Have we all unknowingly become beta-testers for financial services apps? Is this putting our personal finances at risk? Continuing news about breaches seems to indicate this is the case,” said Approov CEO Ted Miracco.

  • https://x.com/ITBriefcase
  • LinkedIn

Other findings:

– None of the 650 apps “ticked all the boxes” in terms of the three attack surfaces investigated. All failed in at least one category.

– Only four apps had runtime protection against channel MitM attacks and “man-in-the-device.” All were payment and transfer apps and none with such protections were in the U.S.

– In general, apps deployed in Europe were better protected than apps available only in the U.S., for immediate secret exposure and runtime protections.

– Crypto apps were more likely to leak sensitive secrets as 36% immediately offered highly sensitive secrets when scanned.

– 18% of personal finance apps leaked sensitive information, possibly because they are less dependent on sensitive APIs.

– For Man-in-the-Device attacks, traditional banks’ mobile apps are twice as likely to be well protected over other sectors reflecting the use of packers and protectors to protect against run-time manipulation.  

“This research shows hardcoding sensitive data in mobile apps is widespread and a massive problem since secrets can easily be extracted. A simple automated scan can show any threat actor how well protected apps are at runtime. Unfortunately, financial apps fall short,” Miracco added.

The Approov Mobile Threat Lab report is available here (https://info.approov.io/secret-report).

The report explains the approach and provides detailed findings, allowing financial services teams to replicate tests performed and check the security of their apps.

Click here to view more IT Briefcase content!

author avatar
  • https://x.com/ITBriefcase
  • LinkedIn
Rocky Giglio
How to Spot and Report Phishing Emails

How to Spot and Report Phishing Emails

Phishing emails are among the most common cyber threats today. Designed to trick recipients into giving up sensitive information or downloading malware, they account for over 90% of successful cyberattacks. These emails exploit human behavior rather than technical...

read more
3-minute assessment to better cyber security

3-minute assessment to better cyber security

Start taking control of your security posture with our 3-minute security assessment, a quick yet powerful tool designed to identify critical vulnerabilities and bolster your cyber resilience. In just a few moments, discover how your current security posture measures up and gain insights into actionable steps you can take to strengthen your defenses. Take the first step towards a more secure environment and empower your team to embrace proactive measures that protect your valuable assets. Join us today and make informed decisions to navigate the ever-evolving landscape of cybersecurity.

read more
Share This