In the news this week IOActive published the results of some research they conducted on the security of home banking apps on iPhone and iPads looking at the mobile offerings of some of the largest financial institutions in the world.

What they found was worrying, but unfortunately not necessarily surprising;

  • 90% of the apps contained non-SSL links which means fraudsters could quite easily intercept the data traffic and manipulate the system to create a fake login prompt or equivalent scam.
  • Furthermore 50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality is exposed, allowing crooks to do things like send SMS or e-mails from the victim’s device.
  • 40% – do not validate the authenticity of SSL certificates presented, leaving them open to man-in-the-middle attacks.
  • Nearly 75% also don’t have multi-factor authentication, which could help to mitigate the risk of impersonation attacks.

At Jumio we have known security surrounding mobile applications, including tackling payment fraud and identity theft in all industry sectors not just financial institutions, needs to be taken more seriously.

Having a secure website offering does not necessarily translate to the mobile app and as we have seen recently with the Target breach the cost and implication of losing data, be it money or your customers’ identities, can be devastating.

At Jumio we would like to see the financial services sector improve its security and are well placed to help. We will see what occurs in 2014. Is this the year of making mobile secure and successful?