Insufficient security controls are surfacing across consumer mobile payment apps, including five of the most popular solutions for both Android and iOS devices.
According to Bluebox Security’s 2015 Payment App Security Study, mobile payment solutions are now a prime source of risk. As mobile payment apps grow in popularity this holiday season, pervasive security flaws have created easy avenues for attackers to compromise these mobile applications, putting consumers’ hard earned dollars and enterprises’ bottom line in peril.
Bluebox examined mobile payment apps with expectations that security would be robust for mobile apps directly handling financial transactions. However, in every app reviewed, security was “remarkably basic,” the firm said.
“It’s not surprising—98% of developers polled by Bluebox have reported most mobile apps are moderately to highly vulnerable,” the report found. “Yet consumers are naively placing their trust and their dollars in these apps, as 69% of those polled by Bluebox were confident that the apps they use are safe from attack.”
Bluebox reviewed the top two peer-to-peer (P2P) payment apps that will be used to send monetary gifts to family and friends this holiday season and the top three one-click merchant apps from leading retailers. Every app examined was vulnerable to tampering that would allow rerouting of funds from a consumer’s account to a hacker’s account, without the consumer’s knowledge.
Anti-tampering controls are needed to secure the app and prevent the manipulation of payments, ensuring that consumer dollars end up in the hands for which they were intended.
Also, on average, 75% of the code in the apps was from third-party code libraries, which are used by enterprises to speed up mobile app development. When not properly secured and vetted, these code libraries could easily contain the next widespread exploit like Heartbleed or Stagefright—exposing payment apps to possible breaches.
None of the five apps encrypted data written to disk, meaning authentication info, transaction history and other personal information is fully visible to attackers once they’ve gained access to a device or app. Enterprises providing consumer-facing applications need to secure this information or risk damaging brand reputation when consumers find out their information is free for the taking.
Additionally, all of the apps investigated can be hacked in any one of three increasingly popular attack vectors:
Attack on unmodified app – The first method of attack does not require altering the app’s code. An app could be installed from a legitimate public app store but if the device is compromised, an attack can still be carried out against the app.
Attack by manipulating code – A second method is directly replacing the legitimate app with a modified app, like what was done with Masque attack.
Attack by intercepting traffic – The third method is intercepting the app’s interactions with cloud services over Wi-Fi or cellular networks.
“Our starting hypothesis was that mobile apps handling financial information would have more rigorous security compared to other mobile apps, but our research uncovered the opposite,” said Andrew Blaich, lead security analyst at Bluebox Security. “As enterprises rush to get apps to market, we are discovering the same security errors from industry to industry. Enterprises need to ensure their apps can defend themselves and make security a seamless step in the development process.”
Photo © Maxx Studio