More than a third of the financial applications used by Russians have critical security vulnerabilities. socialbites.ca learned this from a study by Swordfish Security that analyzed the security of more than a hundred iOS and Android apps.
“The main application categories studied are banking customers, fintech, telecom and application groups (for example, the bank’s core application and all other services associated with it),” said Yury Shabalin, chief architect. Swordfish Safety.
As a rule, projects of young companies and start-ups turn out to be vulnerable applications. But researchers have also found problems in the programs of large organizations.
Vulnerabilities are much more common on Android than they are on iOS. In addition, on average, a program for Android has more problems than the same utility for Apple technology: 8.3 versus 5.3. According to the researchers, Android is more vulnerable due to the broader capabilities of the platform itself. It provides many more ways of interaction between the application and the user, which can be malicious under certain circumstances.
Violations in data storage rules turned out to be the most common problem: researchers encountered them in 65% of vulnerable programs.
Often, tokens (encrypted authorization data to communicate with other services) and users’ personal data are at risk. Less often, developers forget to “hide” logins and passwords from accounts, as well as keys to encrypt transmitted information.
“This type of vulnerability could allow attackers to obtain the user’s personal information and, in worst-case scenarios, completely compromise the account,” said the study’s authors.
35% of vulnerable applications have no encryption algorithms for information transmitted to the server. Therefore, the same username and password can be compromised by an attacker via public Wi-Fi. In 18% of cases, apps have problems with logout speed, i.e. users log out.
“Due to very long session lifespan or improper implementation of the application’s logout functionality, an attacker could gain access to a user account using session identifiers,” Swordfish Security said.
Insecure inter-process communication was found in 10% of the utilities. Thus, a virus in the form of application “A” on a smartphone can “look” at the files of a vulnerable application “B”, fraught with consequences ranging from password theft.
Swordfish Security has notified developers of all vulnerable programs that it has discovered problems.
everything (not) bad
Yuri Shabalin of Swordfish Security believes that in most cases, the vulnerability itself is unlikely to result in loss of funds accessed from the app. However, its use may be part of the attacker’s scenario, who sets out to steal the victim’s money.
“As a rule, in order to successfully carry out a theft attack, it is necessary to create a vector of various vulnerabilities or to obtain additional data (phishing email, message, call) through social engineering. “Each security issue can be created in different scenarios if needed, and that’s what we’re seeing in attackers right now.”
A similar view is shared by Vladimir Kochetkov, head of code analyzer research and development at Positive Technologies. According to him, the detected problems simplify an attacker’s job, but using them alone will hardly get to their bank accounts.
“As a rule, real attack scenarios on banking systems involve the use of vulnerabilities in the program code of banking systems and customer applications, as well as the use of elements of social engineering (including automatic) aimed at deceiving the user and performing the actions that lead to this. embezzlement,” said the expert.
In contrast, R-Vision CEO Alexander Bondarenko noted that in some cases individual vulnerabilities can actually be used to steal money. However, their distribution will be so complex that few cybercriminals will want to mess with them.
“Yes, vulnerable apps can be used by hackers to steal data or steal money by fraudulent payments or sending unauthorized payments.
This is a more complicated way, because first of all it is necessary to somehow infect the user’s mobile device. “Attacks against mobile apps are relatively unpopular given the fact that there are much simpler ways to steal money from the public, with or without computer technology,” he said.
Kaspersky Lab Chief Specialist Sergei Golovanov was even more optimistic. According to him, application vulnerabilities are rarely used in money theft operations. The expert claims that holes in the security of mobile programs are used much more often in targeted attacks, when the attacker is faced with the task of finding out something about a particular person.
How to be
Swordfish Security has given you a few recommendations with which you can level your chances of losing money through the app.
First, you should not install applications if you are not sure of their origin and reliability. You should be especially careful with apps from third-party sources. First of all, with its “modified” versions as with ads disabled.
Second, you should avoid open Wi-Fi hotspots. If the connection cannot be avoided, you should close the applications that work with the payment data.
Third, you should enable two-factor authentication in all possible apps and not use the same passwords on different services.