Living Like the 3%: A Secure User Experience on Financial Applications
What kind of financial windfall would it take to put you into the 1% — to enable you to leave your job, climb aboard your yacht, and eat avocado toast for breakfast, lunch, and dinner? The answer to that question varies depending on your location: from $81K per year in India, to $290K in the UK, and a massive $891K in the United Arab Emirates (pretax, for those of you doing the math at home).
While membership in this elite club is not achievable for most of us, it is still possible to become a top-tier member of a different group: the 3%. This select group is not measured by how many homes they have nor by their investment portfolio, but rather by how well they steward the resources of others that have been entrusted to them.
A recent report published by Arxan Technologies examined 30 different financial services apps available on the Google Play store and found very few that provided adequate security for their users. Despite the fact that these were supplied by financial institutions, for whom trust is essential for their business, application security was found wanting.
The issues discovered were wide ranging – 43% of apps were vulnerable to attacks that can run code on the mobile device itself injected into the app as it ran — allowing adversaries to run their own code as the logged-in user. Alongside this, 80% of the apps used relatively weak encryption, creating an easy attack vector for malicious actors to pilfer sensitive data embedded in and used by these apps. Furthermore, 83% of the apps chose to store sensitive data in the device’s file system, in external storage or on the clipboard — which circumvents any access restrictions that the app might normally enforce. This allows any anonymous user (or other app) to access sensitive data that should have been protected. The most common issue, however, was the lack of binary protection for these financial apps to prevent reverse engineering. This means that attackers could take the applications and decompile them to examine their source code; this allows for the discovery of other vulnerabilities to exploit along with the exposure of any sensitive data hard-coded within the app itself. This final issue automatically reduced the number of apps without issues to a grand total of 3%.
Only 3% of financial apps within this study delivered a secure experience for their users, demonstrating that these financial institutions could be trusted to handle their customers’ data and finances responsibly. This, of course, is the 3% that all financial institutions should aspire to belong to; with each passing headline, customers are realising the importance of choosing financial providers who have invested in proper security controls to protect their interests.
Studies such as this one call attention to the fact that with each passing day, it becomes more apparent that security cannot be an afterthought for today’s businesses. It must be a mindset that pervades all aspects of the organisation; from establishing an identity program to provide access and ensure compliance with regulation, to having access to sensitive resources enforced in depth. Moreover, organisations must ensure – as this report highlights – that application security is at the forefront of every software architect and developer so that the applications and software that represent a financial institution to the world communicates responsible handling of important customer assets and data.
For those organisations that take security lightly, it is at their own peril – not only putting the relationship with customers at unnecessary risk but also finding themselves living below what one analyst called “the Security Poverty Line.” Financial institutions wanting to thrive in today’s business environment must invest a coherent security program and deliver a secure, trustworthy interaction for clients — which will elevate them into that rarefied air of the 3%.