Skip to main content

Research highlights a systemic failure to protect financial services apps against multiple vulnerabilities

San Francisco, CA – April 2, 2019 - Arxan Technologies, the trusted provider of application protection solutions, announced the findings of a new research report which reveals widespread security inadequacies and protection failures among consumer financial applications, leading to the exposure of source code, sensitive data stored in apps, access to back-end servers via APIs, and more.

Senior cybersecurity analyst Alissa Knight of global research and advisory firm Aite Group authored the study, entitled ‘In plain sight: The vulnerability epidemic in financial services mobile apps.’ Knight examined the mobile apps of 30 financial institutions (FIs) downloaded from the Google Play store across eight financial services sectors: retail banking, credit card, mobile payment, cryptocurrency, HSA, retail brokerage, health insurance, and auto insurance. Using tools readily available on the internet, Knight found nearly all of the applications could easily be reverse engineered allowing access to sensitive information stored inside the source code, such as improperly stored PII, account credentials, server-side file locations, API keys, and live deployment and QA URLs used by the developers for testing the apps. The research highlights a systemic lack of application appropriate protection such as application shielding, threat detection, encryption, and response technology across financial services apps.

Analysis of the mobile FI applications highlighted major deficiencies in app design  including easily reverse engineered code that can expose serious vulnerabilities including in-app data storage; compromised data transmission due to weak data encryption and insufficient transport layer protection; and malware injection/tampering.

Key findings from the research include:

  • Lack of Binary Protections — 97% of all apps tested lacked binary code protection, making it possible to reverse engineer or decompile the apps exposing source code to analysis and tampering
  • Unintended Data Leakage — 90% of the apps tested shared services with other applications on the device, leaving data from the FI’s app accessible to any other application on the device
  • Insecure Data Storage — 83% of the apps tested insecurely stored data outside of the apps control, for example, in a device’s local file system, external storage, and copied data to the clipboard allowing shared access with other apps; and, exposed a new attack surface via APIs
  • Weak Encryption — 80% of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed
  • Insecure Random-Number Generation — 70% of the apps use an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable

“During this research project, it took me 8.5 minutes on average to crack into an application and begin to freely read the underlying code, identify APIs, read file names, access sensitive data and more. With FIs holding such sensitive financial and personal data — and operating in such stringent regulatory environments — it is shocking to see just how many of their applications lack basic secure coding practices and app security protections,” said Alissa Knight, Senior Analyst at Aite Group. “The large number of vulnerabilities exposed from decompiling these applications poses a direct threat to financial institutions and their customers. These resulting threats ranged from account takeovers, credit application fraud, synthetic identity fraud, identity theft and more. It’s clear from the findings that the industry needs to address the vulnerability epidemic throughout its mobile apps and employ a defense-in-depth approach to securing mobile applications — starting with app protection, threat detection and encryption capabilities implemented at the code level. Of all the findings, the most shocking was without a doubt, the SQL queries exposing information on the backend databases hard coded in the app along with private keys being stored unencrypted in different sub-directories.”

Of all the industry verticals examined in the research, disturbingly, retail banking, retail brokerage and auto insurance applications were found to be at risk for all the discovered critical vulnerabilities. The fewest vulnerabilities were found in the Health Savings Account applications, indicating that as an industry there is a higher regard for securing patient information and interactions than the FI sector has for securing customer data and financial transactions. Surprisingly, the smaller company apps analyzed had the most secure development hygiene, while the larger companies produced the most vulnerable apps.

“It’s no secret that the finance industry is a hot target because the payload is cold, hard cash,” says Aaron Lint, Chief Scientist and VP of Research, Arxan. “Virtually none of the apps tested in this research had app security measures in place that could even detect an app was being reverse-engineered, let alone actively defend against any malicious activity originating from code level tampering. We expect financial institutions to be leaders in security, but unfortunately, the lack or app protection is systemic across these and most organizations using mobile apps to drive business — which in today’s environment is everyone. Organizations need to take their head out of the sand and realize how significant the attack surface really is due to the nature of how apps are rapidly developed, left unprotected and deployed capriciously.”

To minimize the risk of these vulnerabilities being identified and ultimately exploited, it is advised financial institutions adopt a comprehensive approach to application security that includes app shielding, encryption, threat detection and response -- and ensure their developers receive adequate application protection and shielding training and implement appropriate security at each stage in the software development life cycle. Additionally, it is essential that application security solutions easily integrate into DevOps environments, post-coding, so they do not disrupt rapid app development and deployment processes.

To download the full research report, please visit:

To register for the webinar about the report findings and best practices for app protection, please visit:

About Arxan Technologies

Arxan, a global trusted leader providing the industry’s most comprehensive application protection solutions, works with organizations looking to protect applications and to securely deploy and manage business-critical apps to the extended enterprise. Arxan currently protects more than one billion application instances across many industries including financial services, mobile payments, medical devices, automotive, gaming, and entertainment. Unlike legacy security solutions that rely on perimeter-based barriers to keep bad actors out or that require device management controls, Arxan products protect at the application-level from the inside out. This approach protects the source and binary code to expand the corporate perimeter of trust to the new endpoint – the application. Arxan provides a broad range of patented security capabilities such as a dynamic app policy engine, code hardening, obfuscation, white-box cryptography and encryption, threat analytics and rapid app protection deployment designed for DevOps processes. Founded in 2001, Arxan is headquartered in North America with global offices in EMEA and APAC.  For more information, please visit our website or follow us on Twitter.

About Aite Group

Aite Group is a global research and advisory firm delivering comprehensive, actionable advice on business, technology, and regulatory issues and their impact on the financial services industry. With expertise in banking, payments, insurance, wealth management, and the capital markets, we guide financial institutions, technology providers, and consulting firms worldwide. We partner with our clients, revealing their blind spots and delivering insights to make their businesses smarter and stronger. Visit us on the web and connect with us on Twitter and LinkedIn.