Although mobile banking apps fared better than retail, productivity and social networking apps in a security audit released today, banks still have work to do to protect customer data on mobile devices.
In the study conducted by viaForensics, 25% of the mobile banking programs analyzed received a "fail" rating. In most cases, these failures occurred because testers were able to recover a user password or other sensitive user data from a user's mobile device. In some cases, the apps cached a security PIN or a user name and password. In other instances testers were able to recover payment history, partial credit card numbers and other transaction-related data. About a third (31%) of mobile banking apps received a "Warn" grade because a user name or app data was present, but not considered a significant risk to the user. The remaining 44% of mobile banking apps passed the test.
To put this in context, no social networking or retail mobile apps passed viaForensics' test, and a mere 9% of productivity apps passed. (Ironically, one of the productivity apps that failed the test is described and sold as a secure email service. The testers were able to recover the security question and answer required to access emails.)
But unencrypted passwords seem to be tripping up banks. "The password thing is black and white," says Andrew Hoog, chief investigative officer at viaForensics. "You either store in clear text on the mobile device itself or you don't. That's where the real risk is." Mobile devices move all around the world, they're always online and they're completely outside a financial institution's control, Hoog points out.
Storing a user name insecurely does not cause a fail. "It's only a piece of the puzzle and it's not the most difficult piece of the puzzle," Hoog says. "It helps to know what somebody's user name is because then you don't have to try to guess what it is. But if somebody has your password, most people are in big trouble, not only because the criminal would be able to compromise their account, log in online and transfer information, but people reuse passwords and user names. That's the avalanche effect." For the average consumer, getting their password would get a cyber-thief into 30-90% of the online services that person uses, Hoog says.
"If you do get the password, it's earth-shattering bad stuff because you can get into almost anything they do online," he says.
Hoog believes banks and the vendors they purchase from and work with have been overly focused on market share, new features, monetization, expanding and answering consumer demand. "They're not putting enough or sometimes any effort into security," he says. And securing a mobile app is different from securing a banking website or the software on the bank's servers. "In general, the security industry hasn't caught up," he says.
"The good news is, it's possible to develop secure mobile apps, you just have to bear in mind the gotchas and trade-offs," Hoog says. "The problem is, development is a very creative and human endeavor, which means mistakes can get introduced."