Exposed API Keys Threaten Security of Android Banking Apps

Severe lapses in security pose a massive risk to those who bank via mobile devices. Researchers recently revealed that the mobile apps of 30 financial services firms could be compromised in as little as eight minutes thanks to unprotected Source Code, sensitive data, and weak API keys. The threat is real. 

The vulnerabilities were exposed by cybersecurity company Arxan. It discovered shocking details about mobile banking apps from the Google Play Store and their poorly executed protections. 

Nearly all the apps (97%) lacked binary code protection. This slip up allows the apps to be reverse engineered in a way that could expose the source code and open them up to tampering. Unintended data leakage impacted 90% of the tested apps. Leaked data was accessible by other on-device applications that share services, leaving the mobile banking app's data wide open. Insecure data storage plagued 83% of the apps by storing it on a mobile device's local file system, external storage, and even the clipboard. Weak Encryption was a problem for 80% of the apps. This makes it possible for attackers to decrypt sensitive data and steal it. Last, 70% of the apps used an insecure random-number generator. Without securing the generator, hackers could more easily guess their way in. 

The apps tested by Arxan included banking, mobile payments, and credit/debit cards. So much for bank-grade security. 

"There's clearly a systemic issue here -- it's not just one company, it's 30 companies and it's across multiple financial services verticals," said Alissa Knight, cybersecurity analyst behind the report, speaking to ZDNet.

API keys played a role here. Knight discovered it was often possible to extract (supposedly) hidden API Keys via device file systems.

"API keys are basically that private password you don't want to get out," continued Knight. "What was a systemic finding across multiple financial services mobile apps was that these private API keys were being found in the code. It's almost as if the developers who wrote the code didn't realize that it's possible to actually browse the directory structure of this mobile app and pull these files out, pull the keys out of subdirectories."

Such raw access to the APIs would allow hackers to repurpose them for malicious actions. Such adjustments could include URL modifications, app behavior changes, and data redirects.

Knight did not identifty the financial apps in question, but it hopes the report serves as a wake-up call for all financial services providers.

"You need to know that adversaries are beginning to target this area. This is the new frontier, this is a new area of focus for adversaries," noted Knight. 


Be sure to read the next Security article: 42Crunch Introduces API Security Platform