SEWORKS’ Security Experts Report Multiple Security Vulnerabilities in Top Fintech Apps

Analysis of many mobile banking, payments, investments, trading and budgeting apps reveals risks

SAN FRANCISCO--()--SEWORKS, an innovator of offensive and defensive application security solutions, has identified security vulnerabilities in the top 20 free Android finance apps on Google Play. SEWORKS discovered critical and noncritical security risks in popular categories such as mobile banking, payments, investments, budgeting, trading, credit and expense tracking and other financial categories.

Using both dynamic and static testing methods to ensure accurate results, the SEWORKS vulnerability analysis revealed a mix of positives and negatives among the finance apps examined.

On a positive note, all of the apps tested had properly secured native libraries and data encryption. However, 100% of the apps had vulnerabilities that could potentially lead to a mobile app being compromised:

  • File input/output or I/O – Data transfer to or from the application file system, such as when financial statements are downloaded, can be manipulated as an entry attack point. Malicious code could be injected into the app to gain read or write access to resources such as users account numbers, passwords or routing numbers.
  • Network behaviors -- Hackers can potentially exploit vulnerabilities within the server-client communication, such as when users access account balances, transfer funds, or perform other activities.
  • Code tampering -- Listed as one of the OWASP Mobile Security Project’s Top 10 Risks, it is considered one of the most common app vulnerabilities and one of the easiest to manipulate. By changing or replacing code, an application can be exploited for various types of attacks, such as inserting malware or phishing.

“There’s no question that mobile banking has made our lives easier, but any mobile app can pose security risks and finance apps handle extremely sensitive information. It’s important that developers incorporate proactive security protocols during the development process as the best way to protect their users,” says Min Pyo Hong, CEO and Founder, SEWORKS. “For consumers, we recommend downloading apps only from the official app store, employing two-factor authentication, avoiding using financial apps on public Wi-Fi and monitoring your financial transactions as a defense against potential hackers.”

SEWORKS will be attending Black Hat USA 2018, August 4-9, 2018 at the Mandalay Bay Convention Center in Las Vegas. To learn more about application security best practices or to schedule a meeting, please email contact@se.works.

Follow SEWORKS via:

Blog: https://blog.se.works/

Website: https://se.works/

LinkedIn: https://www.linkedin.com/company/seworks/

About SEWORKS

Founded by five-time DEF CON finalists, SEWORKS offers both offensive and defensive security solutions for mobile and web apps. Backed by Softbank Ventures, Qualcomm Ventures, Samsung Ventures, Smilegate Investment, and Wonik Partners, SEWORKS is headquartered in San Francisco, with an R&D center in Seoul, Korea.

SEWORKS’ AppSolid is a cloud-based mobile app security solution that provides advanced security within minutes. AppSolid’s comprehensive 2-step Protect-and-Track approach to mobile app security provides advanced security without additional coding, and shuts down suspicious activities at the device level.

Contacts

SEWORKS
Sung Cho
sungcho@se.works

Contacts

SEWORKS
Sung Cho
sungcho@se.works