Banking apps handle some of the most sensitive data on our smartphones. And yet, they're not as secure as you might think, or as they should be.
In 2013, a security researcher studied 40 banking apps for iOS from some of the world's biggest banks and found that the majority leaked a lot of personal data and didn't take basic steps to keep users' information secure. Now, the same researcher has tested these apps again, and while things have improved in two years, some banking apps still aren't secure.
"There has been a significant improvement in the state of security in banking apps, but they still need to keep working on new and better solutions to keep the data safe of each customer," Ariel Sanchez, a researcher at IOActive who published his findings on Thursday, told Motherboard in an email.
The main improvement since 2013 is that most apps now encrypt data as it travels from the app to the bank servers, using the standard web encryption known as SSL or TLS, which is slowly becoming the standard on the web. In 2013, 90 percent of apps had some traffic unencrypted; now, it's just 35 percent. While this is good news, there's still a considerable amount of apps through which a hacker could intercept the traffic and trick users into giving out their credentials on a spoofed login page.
Another major issue, according to Sanchez, is that the majority of banking apps he studied still don't offer an alternative and more secure form of authentication than the standard username and password. Only 42 percent of them offer two-factor authentication, or other more secure ways to login, according to Sanchez. Moreover, he found that 15 percent of the apps store sensitive users' data in plaintext inside the phone.
Sanchez did not name and shame the apps, and it's hard to generalize and explain why banking apps still don't take security as serious as they probably should. For him, one of the main reasons is that banks seem to still favor usability versus security, and don't realize that a security breach through their apps could directly impact their business.
"The key is understanding that security is a business issue rather than an IT issue," Sanchez said.
In any case, this research should serve as a cautionary tale for users. While it's not possible for the average user to analyze and evaluate the security of their banking apps the way Sanchez did, users can take some steps to protect themselves regardless of the apps they use. For example, Sanchez suggests enabling two-factor or multi-factor verification where possible, and never using banking apps on a public WiFi.
"Free wifi isn't always good thing," he said.