silversurfer
Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
- Aug 17, 2014
- 12,738
- 123,886
- 8,399
A white hat hacker reverse engineered 30 mobile financial applications and found sensitive data buried in the underlying code of nearly all apps examined. With this information a hacker could, for example, recover application programming interface (API) keys and use them to attack the vendor’s backend servers and comprise user data, researchers said.
The apps in question were all Android and culled from eight sectors including retail banking, healthcare and auto insurance. Companies behind the apps ranged from Fortune 100 companies and down, according to Arxan Technologies, the company that conducted the research titled In Plain Sight: The Vulnerability Epidemic in Financial Mobile Apps.
“Many of the findings were shocking to say the least,” said Alissa Knight, senior cybersecurity analyst with Aite Group, who conducted the research. “I even found that some financial institutions were hard coding private keys, API keys and private certificates – all in the actual code or storing them in subdirectories of the app.” In other instances, Knight said, she found URLs that the apps use to communicate with, which would allow an adversary to target the APIs of the backend servers as well.
Key findings include the fact that 97 percent of all Android apps tested lacked binary code protection. “This makes it possible to reverse engineer or decompile the apps; exposing source code to analysis and tampering,” according to the report scheduled to be released Tuesday.
Vulnerability Findings Across All Financial Apps
