Aite Group Tests Financial Banking Apps – The Results Are Alarming

Third-Party Tested Several Android Banking Apps, Proving Just How Vulnerable They Are

A report prepared by the advisory firm, Aite Group for Arxan, confirms financial mobile apps are full of vulnerabilities.  According to their findings these gaps stem from a lack of security controls and insecure coding within the apps themselves. 

Although the results are rather enlightening, the advisory firm opted not to provide the names of the apps or financial institutions within their report.  The only information disclosed was that each company was headquartered in either the U.S. or Europe, and the apps were accessible within the Google Play Store.  This doesn’t exactly help narrow down the options, considering any major banking institution’s mobile app can be found in the Google Play Store. 

Unfortunately, it appears the security issues found by the Aite Group will likely go unresolved for some time, as the advisory firm has opted not to contact the financial institutions regarding the vulnerabilities. 

The Findings

The findings, as detailed in the report, confirm the banking institutions tested are choosing not to include encryption capabilities and are failing to implement code hardening coding practices.  Both of these controls are designed to protect mobile apps from being tampered with.  By choosing not to deploy these controls, the security of the mobile apps significantly decreases.

One may think, in order to crack the code and begin freely accessing private data, it would take a significant amount of time and skill.  However, that is not necessarily the case.  The testing group was able to effectively “break into” the application in less than ten minutes.  Upon cracking the code, they could identify APIs, read file names, and access sensitive data. 

What may be considered even more alarming is, 97% of the tested apps were easily reverse engineered or decompiled, as they lacked binary code protection.  Additionally, virtually none of the apps tested had security measures in place to detect if the app was being reverse-engineered or maliciously tampered with. 

5,495 total views, 5 views today

(Visited 1 times, 1 visits today)

12 thoughts on “Aite Group Tests Financial Banking Apps – The Results Are Alarming

  1. Yeah, right. These claims are false, the company making the claims should help the banks patch the vulnerabilities yadda yadda etc etc. Meanwhile guys I shan’t be using the apps just on the chance the vulnerabilities are there. You gamble with your money but I will keep mine safe.

  2. There is a thief in a house on your street but we won’t say which house. It could be your house but we can’t tell you.

    How will you know? You’ll know when you discover that all your possessions have been stolen.

    What an impressive distribution of no information.

    • Unfortunately, Aite Group decided not to release the exact list of applications so we couldn’t pass them along.

  3. This sounds like another “anonymous source” articles. I don’t believe a word unless someone is accountable.

  4. This sounds somewhat disconcerting at first but then it becomes a joke.
    “The apps are vulnerable but we’re not going to tell you which one, and oh yes we’re not going to tell the banking institutions either. We just want to scare you but watch this site we’re going to offer to fix the problem for you. It’ll be a subscription service that offers a two year contract and we won’t tell you if your bank is on the list until you have signed up. The contract can’t be canceled and will automatically renew unless you opt out on the anniversary of your contract and within the one hour timeframe we designate.”

  5. Please tell us what banks and apps are affected. Not nice to keep it from those who purchase your products and believe in you.

    • Hi Pamela, unfortunately, the report did not list specifics – “Although the results are rather enlightening, the advisory firm opted not to provide the names of the apps or financial institutions within their report. The only information disclosed was that each company was headquartered in either the U.S. or Europe, and the apps were accessible within the Google Play Store.”

  6. Android apps only and what banks? You make these claims but fail to list the banks you tested. I say bogus claims.

  7. While this is alarming to read, it sounds too anonymous. If this group really could hack apps that easily, why wouldn’t they sell their techniques to the banks so that protection could be applied ?
    Just saying…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.