Site icon The IT Nerd

Study Finds That 92% of Google Play Store’s 650 Most Popular Fintech Apps Expose Exploitable Secrets


Ninety two percent of the most popular banking and financial services apps on the Google Play Store contain easy-to-extract secrets (such as API keys), which could be used by cyber attackers in scripts and bots to steal data, devastating consumers and the institutions they trust.

The study “Mobile App Security Report – Exposing the Security Vulnerabilities of Top Finance Apps” summarizes the work of the Approov Mobile Threat Lab. The team downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany, investigating a total of 650 unique apps. 

Only 5% of the apps examined had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time. As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime.

Other findings: 

The report can be found here.

UPDATE: Rajiv Pimplaskar, CEO of Dispersive Holdings, Inc. had this comment:

    “Cloud security is always constant battle between convenient access and secure access. In the examples of the reports, the wide majority of the applications contained “pre-baked” API keys that provided access to certain “secured” public services just by the presence of the API key. Once compromised, the security of the API is completely out the window. 

   “API keys for accessing *any* public service should not last indefinitely and they should never come directly with a mobile or enterprise application install. The most secure way is requiring that the API keys be received after proper authentication (and most likely Multi Factor Authentication, MFA). In today’s day and age, MFA is not difficult to set up and while it isn’t perfect, it provides meaningful resistance to most hackers and malicious actors looking for low hanging fruit. 

   “Once the API key is obtained, accessing the service is still a potential waving flag for malicious actors. The transport mechanisms and source/destination addresses can become immediate targets. 

   “That’s why stealth networking and solutions can be truly innovative. Obfuscating and encrypting and protecting data in transit can provide the enhanced security from mobile endpoint all the way to cloud. Additionally, with a stealth networking solution, the ability for a malicious actor to set up a MITM attack is severely hindered. By removing “known” open endpoints, malicious actors can’t easily setup the MITM to try to intercept and capture/modify packets.”

Exit mobile version