The App Security Gap: How Mobile Financial Applications Are Failing to Secure Code

CEOs from several major American banks testified  before the U.S. House Financial Services Committee in April of 2019, noting that they view cybersecurity as the largest risk to the financial system currently. It may be this reality that leads a relatively low percentage of U.S. consumers (about 30%) to actually use mobile banking applications. 

In fact, 40% of US consumers who don’t use mobile payments cite security concerns as a major reason for this choice. Older consumers in particular are less likely to adopt mobile banking solutions due to security and privacy concerns arising in part out of an epidemic of dire headlines related to banking, credit card, and other financial organizations’ data breaches.

It’s also the case that, while consumers may feel some trepidation regarding mobile banking, many are still open to the usage of smartphones and other mobile devices for payment purposes. 

A full 89% of U.S. customers say they steer clear of mobile payments. In comparison, a whopping 92% of European millennials plan to be using mobile payments by 2020, and mobile payments in the UK in particular are on a lightning trajectory. That said, security and privacy concerns are still a major factor, with about half of European customers citing them as a barrier to entry for mobile payments. 

Financial mobile app growth is on an impressive trajectory. That said, consumers around the world need reassurance that security and privacy concerns are being taken seriously by app developers. 

Learn more about Security for Mobile Financial Applications and how we can help protect your customer data with our state-of-the-art security.

Despite Consumer Wariness, Most Financial Apps Fall Behind with Security

Both financial institutions and consumers appear to be aware of potential risks, and their concerns clearly have merit. However, most financial institutions who offer mobile financial applications are not taking adequate security precautions. 

It’s worth taking a look at the top ten most common security risks for mobile applications, as defined by OWASP.  Reverse engineering and tampering rank as the eighth and ninth most prevalent security risks according to this list. 

Yet the majority of applications on the market today do not currently use any form of application shielding, which is a critical form of security that protects against these two common security risks. Eschewing application shielding is especially risky in heavily regulated and high-scrutiny markets like financial services, where reverse engineering opens apps up to data theft, fraudulent app versions, and more. 

Consumers indicate they are willing to share sensitive personal data with banks and other financial institutions in exchange for valuable products and services, but 75% of consumers state that they are very cautious about doing so. In other words, financial institutions are already on thin ice with consumer trust and cannot afford to jeopardize it with insufficient security and privacy measures.

According to research conducted by Gartner, by 2020, an estimated 30% of enterprises plan to use application shielding to protect at least one of their mobile, IoT, or JavaScript applications. That number is just 5% today. The rate of change is expected to be high, with a prediction of more than 50% of enterprises using application shielding by 2021. However, this will still leave more than half of all mobile apps open to reverse engineering and other common attacks that can lead to data leakage and theft. Particularly when it comes to sensitive data related to finance, this is a concerning trend.

The Research

Recently, at Guardsquare, we conducted research into the nature and level of application shielding in use by more than 3,000 of the world’s leading financial services apps on the Android marketplace. We discovered that a paltry number of these apps are using proper mobile application security to prevent reverse engineering, fraudulent app clones, sensitive data loss, IP theft, and other potential negative outcomes.

Let’s take a look at what our data uncovered and what players in the financial services industry—and beyond—can learn from it about how to better protect their mobile applications.