Research on the existing vulnerabilities and threats in mobile banking conducted by Positive Technologies experts. Out of 14 fully featured mobile banking applications (client and server) chosen for the research none has an acceptable level of protection.

Key insights: 

Client side (mobile banking application installed on the user's device):

• In 13 out of 14 applications, attackers can access user data from the client side.
• 76% of mobile banking vulnerabilities can be exploited without physical access to the device.
• More than a third of vulnerabilities can be exploited without administrator (jailbreak or root) rights.

Server side (web application that interacts with the mobile client over the Internet by means of a special application programming interface (API):

• Server sides contain 54% of all vulnerabilities found.
• On average, each mobile bank has 23 server-side vulnerabilities. 
•  Half of mobile banks are vulnerable to fraud and theft of funds.
• At five out of seven banks, hackers can steal user credentials. At one third of banks, card information is at risk.

Research also showed that iOS client applications contain fewer vulnerabilities than their Android counterparts. No flaws in iOS banking apps were worse than "medium" in severity. By comparison, 29% of Android apps contain high-risk vulnerabilities.

Share: