mobile banking app

Some 88% of banking apps possess at least one vulnerability which could be exploited, according to a study by the software company Synopsys.

The financial sector has been a primary target for hackers during the Covid-19 pandemic, according to the Bank for International Settlements, as homeworking and the use of digital applications has surged.

During the second quarter of 2020, for example, mobile app usage grew by 40% year-on-year, according to data from analytics firm App Annie, as national lockdowns encouraged downloads and online spending.

This behavioural shift could create further risks, according to US software group Synopsys, which has examined the code behind more than 3000 of the most popular Android apps, including several mobile banking apps.

According to Synopsys, 88% of banking apps possess at least one vulnerability that could be exploited by hackers.

“Banking apps have multiple factors of authentication that are pretty watertight, but it’s when you get to the next level down, with the components that go into the software, where there is the potential to cause complications,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre.

If a bank cannot categorically identify where every single component of software it is dependent upon comes from … it could be putting the organisation at risk

Tim Mackey, Synopsys

Banking apps typically contain a variety different of components that interact with each other, and the open source design of most apps means that even a bank’s IT department may not know what all the different components do, or how one component refers to another, Mr Mackey said.

“If a bank’s senior management cannot categorically identify where every single component of software the bank is dependent upon comes from, and why that component has a role to play in its stack, then it could be putting the organisation at unnecessary risk,” he said.

“There could be a vulnerability where someone could gain control of a device or gain access to whatever the back-end systems are, or there could be a data bleed, and that could be that serious.”

Open source everywhere

The vast majority of apps are built upon open source components. This type of software, unlike commercial software, relies on the consumer to pull patches rather than have them pushed to them.

The presence of open source software itself does not present risk as long as it is actively managed and maintained, Mr Mackey said.

“Because open source [components are] present in the software, if [a bank] does not have a defined process to stay up to date and recognise where patches might originate from and so forth it, [they could find they get caught out],” Mr Mackey said.

Other vulnerabilities cited in the report include information leakage, when developers inadvertently leave sensitive data exposed in the compiled application; and mobile permissions risks, when an application requires permissions from a device, but asks for more permissions than are necessary, which could compromise the user’s data if used improperly.

“If you’re a bank executive, it boils down to ensuring there’s a review process in place that allows someone to hit the ‘stop button’ if there is an excessive use of permissions,” Mr Mackey explained. “For example, does it make sense to have location information [available]? If it does, you may need to make certain it is clearly part of the privacy [functions].

“Fundamentally, a bank’s management needs to ensure there is process for how it’s going to update the software components that go into [its] apps,” he added.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter