DALLAS—Common sense would suggest the biggest U.S. banks would have some of the most secure mobile apps, but a new study indicates that is not the case.
New findings from security firm Zimperium reveal most of the top banking apps have security flaws that put user data at risk, reports Tech Crunch.
“The researchers found most of the apps had issues, like failing to adhere to best coding practices and using old open-source libraries that are infrequently updated,” explained Tech Crunch.
Some of the apps were using open-source code from GitHub from more than three years ago, said Scott King, Zimperium’s director of embedded security.
Worse, more than half of the banking apps are sharing customer data with at least one advertiser, the researchers alleged.
The researchers, who didn’t name the banks, said one of the worst offending iOS apps scored 86 out of 100 on the risk scale for several privacy lapses, including communicating over an unencrypted HTTP connection, Tech Crunch said.
Vulnerable to 2 Known Bugs
The same app was vulnerable to two known remote bugs dating back to 2015. The researchers said the risk scores for the banks’ corresponding Android apps were far higher. Two of the apps were rated with a risk score of 82 out of 100. Both of the apps were storing data in an insecure way, which third-party apps could access and recover sensitive data on a rooted device, said King.
“One of the Android apps wasn’t properly validating HTTPS certificates, making it possible for an attacker to perform a man-in-the-middle attack. Several of the iOS and Android apps were capable of taking screenshots of the app’s display, increasing the risk of data leaking,” Tech Crunch said.
Zimperium said two-thirds of the Android banking apps are targeted by several malware campaigns, such as BankBot, which tricks users into downloading fake apps from Google Play and waits until the victim signs into a banking app on their phone. Using an overlay screen, the malware campaigns steal logins and passwords.