back Back

Bots could exploit “easy-to-extract” data from popular FinTech apps, study shows

By Puja Sharma

March 03, 2023

  • API attacks
  • API Data
  • API Security Platform
Share

APIs, Data theft, Approov, the end-to-end mobile security provider, issued findings showing that 92% of the most popular banking and financial services apps contain easy-to-extract secrets such as API keys, which could be used in scripts and bots to attack APIs and steal data, devastating consumers and the institutions they trust.

Inadequate Protection of API Keys at Runtime Places Consumer Data and Treasure at Sharp Risk. Stolen API Keys Can be Used to Steal Personal and Financial Data.

The Approov Mobile Threat Lab downloaded, decoded, and scanned the top 200 financial services apps in the U.S., U.K., France, and Germany from the Google Play Store, investigating a total of 650 unique apps. Around 92% of the apps leaked valuable, exploitable secrets and 23%% of the apps leaked extremely sensitive secrets.

As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime. Only 5% of the apps had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time.

According to a research by YouGov, 74% of people say they want their bank to adopt the latest technology to keep their accounts safe. As many as 44% of adults ages 18-34 say they would like their bank to adopt newer, modern technologies to make it easier to log in to accounts.

When it comes to picking a financial services provider, safety and security (61%) come top for global consumers, followed by lower fees (58%), solid customer service (57%), and good interest rates (50%).

Digital-only banks may face an uphill battle to win over customers: just 37% say they trust them, and 26% distrust them. It’s a similar story with Buy Now Pay Later companies (36% vs. 27%), sustainable investments (31% vs. 23%), and – by some distance – cryptocurrencies. Providers that deal with Bitcoin, Litecoin, Ethereum, and others in the space are trusted by just 16% and distrusted by 52%. Even as cryptocurrency becomes more prominent, a majority of the global public remains suspicious of it.

“Have we all unknowingly become beta-testers for financial services apps? Is this putting our personal finances at risk? Continuing news about breaches seems to indicate this is the case and it is unacceptable!” said Approov CEO Ted Miracco.

“This research shows hardcoding sensitive data in mobile apps is widespread and a massive problem since secrets can easily be extracted. A simple automated scan can show any threat actor how well protected apps are at runtime. Unfortunately, financial apps fall short,” Miracco added.

Key findings

  • None of the 650 apps “ticked all the boxes” in terms of the three attack surfaces investigated. All failed in at least one category.
  • Only four apps had runtime protection against channel MitM attacks and “man-in-the-device.” All were payment and transfer apps and none were in the U.S.
  • In general, apps deployed in Europe were better protected than apps available only in the U.S., for immediate secret exposure and runtime protections. This may be due to stricter privacy rules in Europe and more focus on security.
  • Crypto apps were more likely to leak sensitive secrets as 36% immediately offered highly sensitive secrets when scanned.
  • Only 18% of personal finance apps leaked sensitive information, possibly because they are less dependent on sensitive APIs.
  • For Man-in-the-Device attacks, traditional banks are twice as likely to be well protected over other sectors reflecting the use of packers and protectors to protect against run-time manipulation.

Previous Article

March 03, 2023

Tabby partners with Namshi to introduce payment flexibility

Read More
Next Article

March 03, 2023

African-focused digital escrow service Truzo launches in UK

Read More






IBSi FinTech Journal

  • Most trusted FinTech journal since 1991
  • Digital monthly issue
  • 60+ pages of research, analysis, interviews, opinions, and rankings
  • Global coverage
Subscribe Now

Other Related News

December 05, 2024

The Deep dive: AI and Data drive compliance evolution

Read More

December 04, 2024

UK Data Bill: big wins for financial services—act now or be left behind!

Read More

December 04, 2024

MCB Bank & BPC bring AI-led SmartVista Fraud Management solution

Read More

Related Reports

Sales League Table Report 2024
Know More
Global Digital Banking Vendor & Landscape Report Q3 2024
Know More
NextGen WealthTech: The Trends To Shape The Future Q4 2023
Know More
IBSi Spectrum Report: Supply Chain Finance Platforms Q4 2023
Know More
Treasury & Capital Markets Systems Report Q1 2024
Know More