Study: APAC Banking Apps Are Not SecureAppKnox Identifies Shortcomings in Applications
Some 85 percent of the mobile banking apps in the Asia-Pacific region fail basic security checks, according to a recent study by AppKnox, a cloud-based app security company. Half of the apps studied had at least four security loopholes, AppKnox claims (see: Boosting Mobile Banking Security).
The company says it put 106 mobile banking apps to the test across 14 different threat scenarios and found that 85 percent of mobile banking apps were vulnerable to high, medium and low security loopholes. The study also found that more than 74 percent of the apps were diagnosed with the top 5 threats on the research team's checklist- broken trust manager for SSL, unused permissions, remote code execution, insufficient transport layer protection and derived cryptokeys -making them vulnerable to attacks.
The study included almost all the APAC banks that offer their services via a mobile app running on Android and available in the Google Play Store, AppKnox says.
Members of AppKnox's ethical hackers' team who tested the 106 apps found they could bypass two-factor authentication in some cases by sniffing the one-time password that was sent to someone using the bank app, the company reports. Also, on some payment wallet apps, they were able to trick the system to believe that an amount was paid without actually paying it.
Cause for Concern?
Information security experts acknowledge that mobile banking is still in its initial stages in much of APAC, and the maturity of mobile banking varies widely among nations.
"Some countries in the APAC region might have inadequate security measures for their digital and mobile transactions. So, the overall numbers might look alarming, despite the fact that the region actually has some mature markets too," says Bharat Panchal, CISO of the National Payment Corp. of India, an umbrella organization for all retail payment systems in India. He anticipates that the mobile banking space will start paying more attention to security as the ecosystem evolves.
"Unless one is driven by compulsions, such as legal and compliance, most users currently tend to put usability, convenience and access way before anything else especially security," adds Akash Mahajan, a director at Appsecco, an application security company.
As more consumers in less mature markets, including Vietnam and Philippines, start using mobile banking, security will likely become a critical issue, experts warn. But many nations in the region lack strong privacy and security laws and have a largely unregulated mobile app space.
"Since businesses are not punished [for security violations], often security takes a back seat," says Prateek Panda, co-founder of AppKnox (see: RBI Issues New Cybersecurity Guidance). "Mobile has become a great channel to acquire more users, and that is what businesses are focusing on. It is shocking to see that banks and payment apps are not taking security seriously."
Key Security Steps
App security needs to be tightly integrated with device security, as well as the security of the platform on which the app is hosted, Panchal says.
"It's important that banks inculcate security within the entire system, including their mobile apps, because the end-users today demand security as a basic feature," he adds.
OWASP, the Open Web Application Security Project, has guidelines for application security. Existing standards like OWASP ASVS 3.0 covers an entire risk verification domain for mobile applications. Plus, the major platform providers, including Google, Apple and Microsoft, are devising ways to help ensure that applications and platforms are secure, Mahajan says.
It's difficult to determine just how common attacks against mobile apps are in the APAC region, says Aditya Gupta, CEO & Founder, Attify, security firm specializing in mobile and Internet of Things security. "Depending on how good or bad the detection abilities are, some of the attacks might even go unnoticed," he says.
To help minimize risks, banks should take several steps, Gupta says, including: patching their systems to avoid commonly found vulnerabilities; conducting external penetration testing for their applications and infrastructure; and addressing security issues during the application development lifecycle.