This retail frenzy season, shoppers should think twice before paying with mobile payment apps such as Apple Pay and Venmo, a study has warned. Bluebox Security’s 2015 Payment App Security Study found that security was lacking in at least 10 popular mobile payment apps for Android and iOS.
Bluebox Security decided not to reveal the names of offending apps to protect individual shoppers using them from attack. Instead, the report focused on the types of flaws found.
Consumers may not realise “they are opting for the convenience of on-the-go payments over the security imparted by traditional methods like cash or checks, ultimately putting their dollars at risk,” said Andrew Blaich, lead security analyst at Bluebox Security.
‘Remarkably basic’
In every app reviewed, security was “remarkably basic.” The apps in the study lacked enterprise-grade protections to safeguard financial transactions. For example, none of the apps had anti-tampering controls to prevent payments from being manipulated. None of the apps encrypted data written to disk, meaning authentication data, transaction history, and other personal information was readily available to attackers with access to the device.
Bluebox Labs selected and tested five payment apps available for both Android and iOS. Two were peer-to-peer payment apps used to send monetary gifts to friends and family, and three were one-click merchant apps from leading retailers. The apps were selected based on searches for top mobile payment apps and app store rankings. Bluebox also ran the apps on both jailbroken and non-jailbroken devices to understand how that affected overall security.
“Our starting hypothesis was that mobile apps handling financial information would have more rigorous security compared to other mobile apps, but our research uncovered the opposite,” Blaich said.
iOS is typically viewed as being more secure than Android and less at risk for malicious apps. When it comes to payment apps, however, the security of Android and iOS apps are roughly equivalent. They both made mistakes.
Tampering vulnerability
Every app was vulnerable to tampering that would allow funds to be routed from the user’s account to one controlled by the attacker. Any attacker with minor skill and access to the app from an app store can modify the app, including adding malware/spyware into the original code, and none of the payment apps examined in the study had any code integrity checks. This is troubling, considering that P2P payment apps are not FDIC insured; if the money gets lost, there is no consumer protection.
Bluebox Security found one good security practice: one of the apps used certificate pinning to protect data in transit to its cloud servers. Certificate pinning helps mitigate man-in-the-middle attacks. However, since the app did not have anti-tampering controls, attackers would be able to disable certificate pinning.
Only two Android apps obfuscated code. None of the iOS apps did. Obfuscation “should be a standard practice across all payment apps,” Bluebox Security said. Three Android apps and three iOS apps had debug and admin messages still turned on, which is another basic developer mistake.
Organisations are making the same security errors in their rush to get apps to market, regardless of the industry they are in, Bluebox Security found. On average, three-quarters of the app code came from third-party code libraries. This makes sense since developers rely on third-party code to speed up the development lifecycle. However, the libraries aren’t regularly secured and vetted, exposing the payment apps to possible breaches.
As organisations increasingly rely on mobile app revenues, they need to take greater precautions to protect mobile payments. Data breaches would affect their customers and damage the company brand, Bluebox noted.
Fahmida Y Rashid, IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers