Most Health and Financial Mobile Apps Are Rife with Vulnerabilities

When it comes to mobile app security, there appears to be a disparity between consumer confidence in the level of security incorporated into mobile health and finance apps, and the degree to which those apps are actually vulnerable to common hack techniques (code tampering and reverse-engineering). In turn this has clear implications for both patient safety and data security.

According to Arxan Technologies’ 5th Annual State of Application Security Report, the majority of app users and app executives believe their apps to be secure. A combined 84% of respondents said that the offerings are “adequately secure,” and 63% believe that app providers are doing “everything they can” to protect their mobile health and finance apps.

Yet, nearly all of the apps that Arxan assessed, (90% of them in fact, including popular banking and payment apps and government-approved health apps), proved to be vulnerable to at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks, which could result in privacy violations, theft of customer credentials and other malicious acts, including device tampering.

To put it in perspective, such vulnerabilities could lead to a health app being reprogrammed to deliver a lethal dose of medication, or a finance app to redirect the transfer of money.

“Mobile apps are often used by organizations to help keep customers ‘sticky,’ yet in the rush to bring new apps to market, organizations tend to overlook critical security measures that are proving crucial to consumer loyalty,” said Patrick Kehoe, CMO of Arxan Technologies.

Digging into the nitty-gritty, the report found that a full 98% of the mobile apps tested lacked binary protection—this was the most prevalent security vulnerability identified. Also, 83% of the mobile apps had insufficient transport layer protection.

In the health-specific findings, mobile health apps approved by regulatory/governing bodies turn out to be just as vulnerable as other mobile apps. A full 84% of the US FDA-approved apps and 80% of those approved by the UK’s NHS tested did not adequately address at least two of the OWASP Mobile Top 10 Risks.

Most of the mobile health apps were susceptible to application code tampering and reverse-engineering. And 95% of the FDA-approved apps, and 100% of the apps formerly approved by the NHS, lacked binary protection.

In the financial realm, all of the top mobile banking and payment apps tested had at least one OWASP Mobile Top 10 Risk. And a sobering 100% of the mobile finance apps tested, which are commonly used for mobile banking and for electronic payments, were shown to be susceptible to code tampering and reverse-engineering.

Companies should pay attention: The research also shows that mobile app security is an important element in customer retention. Most consumers (80%) said they would change providers if they knew their apps were not secure. And, 82% would change providers if they knew alternative apps offered by similar service providers were more secure.

“Baking in robust mobile app security is not only a smart technology investment to keep the bad guys out, but also a smart business investment to help organizations differentiate from the competition and to achieve customer loyalty based on trust,” Kehoe said.

Among the other findings was the fact that the problem is a global one: The firm uncovered few geographical discrepancies in mobile app security across the US, UK, Germany, and Japan.

And, bucking conventional wisdom, iOS apps were shown to be more vulnerable than Android apps. About 59% of the Android mobile finance apps tested had at least three Top 10 risks, whereas a full 100% of the iOS apps tested had at least three.

Photo © Denys Prykhodov

What’s Hot on Infosecurity Magazine?