Mobile banking continues to grow in popularity, but a recent report indicates that nearly 50% of banking apps still contain at least one critical vulnerability

With mobile banking really taking off in the US, analysts are warning that almost half of banking apps contain at least one critical vulnerability.

According to Citi, nearly a third of Americans say their mobile banking app is the one they use the most – only social media and weather apps are more popular.

“Over the past year we’ve witnessed this increase in engagement first-hand, with mobile usage in North America increasing by almost 25%, and we don’t see this trend slowing down any time soon,” says Alice Milligan, chief digital client experience officer for Citi’s US Consumer Bank division.

However, these customers may be putting too much faith in the security of their banking apps, according to research from Positive Technologies.

In a recent report, the security firm concluded that 48% of mobile banking apps still contained at least one critical vulnerability. And in more than half of these cases, it says, these vulnerabilities could be exploited to decrypt, intercept, or brute-force accounts.

Attackers could access the mobile app or bypass authentication entirely, effectively gaining total control over a user’s account.

Late last year, researchers at the University of Birmingham in the UK found a critical vulnerability in apps from HSBC, NatWest, Co-op, and Bank of America Health.

A flaw in certificate pinning – which normally improves security – meant that standard tests missed a serious vulnerability that would allow hackers to carry out a man-in-the-middle attack and take full control of a victim’s online banking.

Banks have now fixed the flaw, but, says Dr Tom Chothia: “It’s impossible to tell if these vulnerabilities were exploited, but if they were, attackers could have got access to the banking app of anyone connected to a compromised network.”

The good news is that the number of flaws in banking apps is falling year on year.

According to Positive Technologies, the proportion of high-risk vulnerabilities fell from 32% in 2016 to 29% the following year, while the proportion of medium-risk vulnerabilities dropped from 60% to 56%.

Low-risk vulnerabilities became more dominant, meanwhile, as organizations focused on fixing the worst problems.

As you might expect, iOS apps tend to be more secure than Android apps, even when they are created by the same banks, with high-risk vulnerabilities on iOS accounting for only 25% of the total, compared with 56% on Android.

One further positive takeaway from the report is that banking apps are generally considered to be safer than banking online, as there’s more native security. Hackers would generally need to get hold of the device itself and be able to bypass security such as FaceID or a PIN code.

And security techniques are improving all the time. Technical solutions include multi-factor authentication and HTTPS, while real-time emails or text alerts can draw users’ attention to any unauthorized transactions and behavioral analysis can flag up unusual transactions.

However, Tony Neate, CEO of Get Safe Online, says customers should still take precautions. “Always use a secure internet connection to connect to your bank. However convenient, avoid using public WiFi as this may not be secure,” he says.

“Keep the banking and other apps on your device regularly updated, and always log out of your banking app when you’ve finished using it as just closing it down may not be enough.”

And, adds Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies: “Even when installing apps from a trusted service provider, users should pay close attention to access permissions and only allow what is necessary.

“For example a dictionary app should not get access to your location or contact information.”