dear mistake
More than a third of the financial apps used by Russians show critical security gaps. Socialbites.ca uncovered this through a study by Swordfish Security, which evaluated the security of over one hundred iOS and Android apps.
“The study focused on banking customers, fintech, telecom services, and app groups such as a bank’s core app plus its related services,” stated Yury Shabalin, chief architect at Swordfish Security.
Typically, younger companies and startups tend to have vulnerable apps, but the research also found weaknesses in products from large organizations.
Vulnerabilities appear far more often on Android than on iOS. On average, Android apps show more issues than their iOS counterparts, with an average of 8.3 problems per app versus 5.3 for Apple devices. The researchers attribute this to the platform’s broader capabilities, which allow many more interactions between an app and the user, creating more attack opportunities.
Data storage rule violations were the most common issue, found in 65% of the vulnerable programs. Tokens and users’ personal data are frequently at risk. Less often, developers forget to hide login details, passwords, and encryption keys used for transmitted data.
“This kind of vulnerability can let attackers access personal information and, in worst cases, completely compromise an account,” the study notes.
About 35% of vulnerable apps lack encryption for data sent to servers. That means the same username and password could be captured on public Wi-Fi. In 18% of cases, apps struggle with logout speed, leaving sessions open longer than they should.
“Because of lengthy session lifespans or flawed logout implementations, an attacker could hijack a user account using session identifiers,” Swordfish Security explained.
Insecure inter-process communication appeared in 10% of the tools. This can allow a virus in one app to read the files of another, with consequences ranging from password theft to broader breaches.
Swordfish Security has notified developers of all detected vulnerabilities.
everything (not) bad
Yuri Shabalin believes that, in most cases, vulnerabilities alone are unlikely to trigger financial losses from apps. Still, attackers may rely on these flaws as part of a broader plan to steal funds.
“Typically, a successful theft requires a mix of vulnerabilities or extra data obtained through social engineering, such as phishing emails, messages, or calls. Each issue can be exploited in different scenarios, and that’s what attackers are doing today.”
Vladimir Kochetkov, head of code analyzer research at Positive Technologies, shares a similar view. He notes that the flaws make an attacker’s job easier, but exploiting them alone seldom reaches bank accounts.
“Real theft scenarios often involve exploiting banking system code flaws alongside social engineering to mislead users and prompt actions that enable embezzlement,” he explained.
R-Vision CEO Alexander Bondarenko added that, in some cases, certain vulnerabilities could lead to money theft, though their spread would be limited and complex, deterring many criminals.
“Yes, vulnerable apps can be abused to steal data or conduct fraudulent payments. The process is more difficult because it requires compromising the user’s device first, and mobile app attacks are relatively rarer since there are easier routes to steal money without heavy tech involvement.”
Kaspersky Lab’s Sergei Golovanov offered a more cautious outlook. He suggests that mobile program weaknesses are seldom used in broad money-theft campaigns; instead, they tend to show up in targeted operations aimed at specific individuals.
how to be
Swordfish Security provides several tips to improve chances of keeping money safe when using apps.
First, avoid downloading apps from unknown or untrustworthy sources, especially modified versions that block ads.
Second, steer clear of public Wi-Fi when possible. If it’s unavoidable, close any apps that handle payment data.
Third, enable two-factor authentication wherever available and avoid reusing passwords across different services.