Approov study finds majority of banking and financial services apps extremely susceptible to API security issues

New research from Approov has revealed that 92% of the most popular banking and financial services apps contain easy-to-extract secrets such as API keys, which could be used in scripts and bots to attack APIs and steal data, devastating consumers and the institutions they trust.

The Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany from the Google Play Store, investigating a total of 650 unique apps. Ninety two percent of the apps leaked valuable, exploitable secrets and twenty three percent of the apps leaked extremely sensitive secrets. As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime. Only 5% of the apps had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time.

Commenting, Nick Rago, field CTO at Salt Security, said: “The Approov Threat Lab findings illustrate the critical importance of proper API runtime protection and malicious API behaviour detection for an organisation’s API security strategy. In order to function, most mobile apps rely on API-based communication from the application to an application back-end in the cloud or Internet-facing servers. That communication is frequently secured using static, hard-coded, admin-level or privileged API keys and secrets. App developers often mistakenly assume that the app user or an adversary could not access these keys. The Approov report highlights the wide-spread lack of protections app developers put around these credentials and how easy it can be for an adversary to inspect mobile app traffic or app manifests to extract privileged application communication credentials. Once those keys or credentials find their way into the hands of a bad actor, adversaries can leverage the APIs with admin-like authority. For financial services customers, the impact could be devastating as the attacker could not only gain the power to steal sensitive data associated with customer accounts but also conduct financial transactions associated with those accounts. Once a privileged API key is in the hands of an adversary, and they have the authority to use that API, your security defences are 100% reliant on your ability to quickly detect for abnormal and malicious API usage in runtime that indicates an attacker is abusing your APIs.”