The Bethesda, Md.-based application protection provider Arxan Technologies’ latest report found mobile banking and payment apps are susceptible to code tampering and reverse engineering. It also discovered Android apps more secure than iOS apps.

Arxan’s “2016 State of Application Security Report,” released Tuesday, also found financial services organizations are among the top targets for hackers seeking high-value payment data, intellectual property and other sensitive information.

“The two areas where the risks are the greatest are the lack of binary protection and dealing with the transport of the application between the mobile app and the backend server,” Patrick Kehoe, chief marketing officer for Arxan, told CU Times. “What we are finding is that many organizations are lagging in terms of addressing some of the new risks unique to the mobile environment.”

The report revealed all of the top mobile banking and payment apps tested held at least one “Open Web Application Security Project Mobile Top 10 Risk." In addition, all the mobile banking and payments apps tested were susceptible to code tampering and reverse engineering.

In addition, 50% of the Android mobile finance apps tested carried at least three OWASP Mobile Top 10 Risks, whereas all of the iOS apps tested had at least three top risks.

Organizations often use mobile apps to make their customers stick, but tend to overlook critical security measures as they rush to bring new apps to market, Kehoe explained.

“Baking in robust mobile app security is not only a smart technology investment to keep the bad guys out, but also a smart business investment to help organizations differentiate from the competition and to achieve customer loyalty based on trust,” he said.

According to the research, employee, customer and soft IP data are the top three targets for cyber-attacks in the financial services market.

“Given that the vast majority of cyber-attacks are happening at the application layer, one would think that robust application security would be a fundamental security measure being aggressively implemented and increasingly required by regulators, particularly given the financial services industry’s rapid advancement toward mobile and IoT,” the report stated.

The report also found most consumers would change providers if they knew their apps were not secure. Eighty percent of mobile app users said would change providers if they knew the apps they were using were not secure, and what’s more, 82% would change providers if they knew alternative apps offered by similar service providers were more secure.

Despite spending an average of $34 million on mobile app development, half of the companies surveyed devoted zero dollars to making sure their apps meet OWASP Mobile Top 10 Risks industry security standards, according to the research.

“In financial services, and other industries, it has been about speed to market. Developers are under a lot of pressure to pump out these apps,” Stephen McCarney, vice president of marketing for Arxan Technologies, said.

Kehoe recommended financial services organizations harden applications so they are not susceptible to reverse engineering, build run time protections into applications (particularly mobile apps) to thwart tampering and malware attacks, and protect cryptographic keys so they are not visible statically (i.e., while residing on a device) or at run time in memory.

“Hardening and run-time protection can be achieved with no impact to your source code, via an automated insertion of ‘guards’ into your the binary code,” Kehoe said.

Arxan commissioned a third-party, independent research organization in November 2015 to conduct the electronic survey with the following 1,083 individuals in the U.S., the U.K., Germany and Japan: 815 consumers who use mobile health and mobile finance apps, and 268 IT decision makers within organizations that produce mobile health and mobile finance apps.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).