On the heels of the news of PayPal’s vulnerable iPhone application, The Wall Street Journal broke news of additional vulnerabilities in other major financial institutions’ smart phone applications. These security flaws were uncovered by computer and mobile forensics firm, viaForensics, who tested smart phone applications from Bank Of America, Chase, TD Ameritrade, USAA, Wells Fargo and Vanguard, in addition to PayPal.
viaForensics has been communicating and coordinating with the financial institutions to address the flaws. Most of the institutions were able to quickly resolve the issues and release new versions of their applications.
According to American Banker 25% of the mobile banking programs analyzed received a poor rating: ” In most cases, these failures occurred because testers were able to recover a user password or other sensitive user data from a user’s mobile device. In some cases, the apps cached a security PIN or a user name and password. In other instances testers were able to recover payment history, partial credit card numbers and other transaction-related data. About a third (31%) of mobile banking apps received a “Warn” grade because a user name or app data was present, but not considered a significant risk to the user. The remaining 44% of mobile banking apps passed the test.”
viaForensics has retested the applications and released the results through appWatchdog, a free service which tests publicly available mobile applications for insecure transmissions or storage of sensitive user data. The service measures such factors as how securely the app handles user names and passwords. If not handled properly, security lapses can place the user at risk for data and financial theft. A deeper audit is offered through appSecure, which provides sophisticated security testing and recommendations for securing the app.
Sources: viaForensics, American Banker