Intertrust report reveals security flaws of top financial apps

- June 10, 2021

Financial services has been the most-attacked industry for five years straight but a large number of organizations are still compromising mobile security to meet a deadline or productivity target, leading them to suffer a compromise.

A new report by Intertrust, based on an analysis of 160 top financial apps worldwide, reveals that each of them have at least one security flaw.

To prepare the 2021 State of Mobile Finance App Security Report, the Silicon Valley-based provider of trusted computing products and services conducted security assessments on publicly available apps from four major categories, namely banking, mobile payment, investment/trading, and lending. 

The Intertrust team evaluated applications from five countries or regions—the United States, India, the United Kingdom, the European Union, and Southeast Asia.

According to the findings, 88% of the apps had cryptographic issues, 81% can leak data, and 77% contained flaws that present high-level risks to finance organizations and their customers.

The report highlights that financial services are still lagging behind in cyber security despite the coronavirus pandemic-driven increase in contactless payments, online shopping, and digital-first financial services.

In 2020, time spent in finance apps increased by 45% last year, activity in investment apps jumped by 88%, and mobile wallet point-of-sale transactions picked up by 19.5%, helped by higher limits for contactless payments.

“As mobile finance apps increasingly enter people’s everyday lives, it’s vital to understand the security risks associated with these apps and the ways to help mitigate them,” said David Maher, chief technology officer and executive vice president at Intertrust.

David Maher, CTO at Intertrust (Image source: Intertrust)
David Maher, CTO at Intertrust (Image source: Intertrust)

He added that poor financial app security puts financial organizations and their customers at risk, especially considering the rise in cyberattacks over the course of COVID-19.

According to a survey of 571 community banks in 37 states, conducted by the Conference of State Bank Supervisors, more than 70% of respondents ranked cybersecurity as their top concern.

Intertrust found that Banking apps proved to be significantly more vulnerable both in terms of total number of issues and severity—35% contained more than 10 vulnerabilities and 81% at least one critical or high severity issue.

Payment apps fared only slightly better at 29% and 75%, respectively. Lending apps claimed the most secure spot, “possibly because of their more limited functionality”.

In the testing, Android apps had far more issues than iOS apps and significant variations were found between geographies in app security levels, with UK finance apps containing far fewer security issues than apps from other regions.

Intertrust says around 75% of high-level threats could have been mitigated using in-app protection.

Beyond getting the basics right, the company’s specific recommendations for boosting security include protecting data using secure encryption technologies like white-box cryptography or by using strong data obfuscation techniques.

“The vast majority of financial services apps (88%) have mishandled and/or weak encryption that puts them at risk for data theft. Key protection technologies such as white-box cryptography should be used to secure the encryption process,” the report said, while emphasizing the importance of anti-tampering and runtime protections.

Disclaimer: This article mentions a client of an Espacio portfolio company.