Chip Security Testing 
Binary Security Analysis 
Resources 
Blog
Contact us
Back to all articles
Mobile App & Software

None of the Top 120 Banking Apps complies with OWASP

4 min read
Edit by Rémy Balangué • Sep 30, 2022
Share

Mobile application security has long been neglected. For many, this was simply not critical, because cybersecurity verifications and monitoring were managed at the back-end level, and an attack targeting the mobile app would be limited in impact.

Such assertion was common in the mobile banking industry. The mobile app was considered as a mirror of the web app... and the traffic on mobile apps remained low.

Time has changed. Mindsets become more mature. Recent regulations (PSD2) in Europe pushed bank organizations to rethink their mobile banking application. The mobile banking application is no longer mimicking the web app, it provides new services. The most notable one is sure the eCommerce transactions validation leveraging the strong customer authentication.

Does that mean that the mobile banking application was put high on the agenda for security officers? Not really, but things are moving.

Banner-WP-Blogpost.gif

 

The European Mobile App Security Benchmark

The testing of 120+ mobile banking applications in Europe shows that the banking ecosystem is migrating to more security - and some banks run the show: download your copy of the European Mobile Banking Apps benchmark white paper.

We have used the tremendous OWASP work to qualify the app protections, based on the OWASP MASVS (Mobile Application Security Verification Standard):

Blospost WP Elements_Plan de travail 1.png

Additionally, securing mobile apps is proven to be critical to protecting the integrity and reputation of a business, as well as the data and privacy of end users. Implementing security measures is no longer a practice of displaying thought leadership, nor a nice-to-have value-added initiative, but a risk management mindset that should be embedded into the operations of all mobile banking institutions.

 

What could an attacker attempt to do by targeting a mobile banking app?

➡️ Seek for vulnerabilities in the system

Mobile apps communicate with the back-end system through API. Apps without protection leave hackers easy access to API and back-end.

➡️ Change app behaviour, get private data

Man-in-the-middle techniques to change the app behaviour or observe data when being used by the client.

➡️ Extract secret data or malevolent access

Malevolent access to data or operations belonging to a client (e.g., PIN code)

➡️ Get private information

Sensitive and personal data, like bank statements, are the prime target of information theft.

➡️ Compromise critical features

Such as 2FA, which may severely impact the security of the transactions and generate fraud.

 

Some major banks already impacted

Britain's Tesco Bank was fined £16.4 million, equivalent to €18.4 million, by the Financial Conduct Authority in 2018 over the hacking event that led to £2.26 million siphoned from over 9,000 accounts overnight.

The hacker reverse-engineered the mobile app to exploit clients’ credentials and communication information. However, this could be prevented beforehand. Security testing experts had warned multiple times about the vulnerabilities before the incident, which was ignored by Tesco Bank.

In 2020, the FBI warned that the increase in mobile banking application usage was expected to lead to a rise in exploitation: “US security research organizations report that in 2018, nearly 65,000 fake apps were detected on major app stores, making this one of the fastest growing sectors of smartphone-based fraud.

More recently, in 2022, LCL’s Mobile App has also been hacked, leading to 300,000 euros being embezzled.

 

What methodology have we used to evaluate the protections of mobile banking apps?

To help organizations efficiently develop and secure their mobile apps, the OWASP (Open Web Application Security Project®) has put together highly valuable resources:

The OWASP Mobile Top 10: gathers the most critical security risks encountered on mobile applications. This list helps you identify the top priority risks you must be protected against.

The Mobile Application Security Verification Standards (MASVS): describes 4 levels of verification standards that help you quantify your level of compliance against the OWASP. This score is a good way for you to measure your progress over time and to communicate both internally and to external third parties.

The Mobile Application Security Testing Guide (MASTG, previously known as Mobile Security Testing Guide - MSTG) is a set of test cases to be performed in order to evaluate your MASVS compliance score. Your Security Policy starts from here.

Blospost WP Elements-03.png

 

Want to get your own free copy?

Using esChecker, eShard unique Mobile Application Security Testing technology, our experts have gathered thousands of test results.

Download your free copy of this comprehensive European Mobile Application Security Testing Benchmark, outlining the maturity of the European market.

Banner-WP-eshard.gif

Share

Categories

All articles
(99)
Case Studies
(2)
Chip Security
(29)
Corporate News
(11)
Expert Review
(3)
Mobile App & Software
(27)
Vulnerability Research
(35)

you might also be interested in

Vulnerability Research
Corporate News

Introducing esReverse 2024.01 — for Binary Security Analysis

4 min read
Edit by Hugues Thiebeauld • Mar 13, 2024
CopyRights eShard 2024.
All rights reserved
Privacy policy | Legal Notice