U.S. retailers are ramping up for the holiday shopping season, but shoppers should think twice before paying with mobile payment apps such as Apple Pay and Venmo, a study warned. Bluebox Security’s 2015 Payment App Security Study found that security was lacking in at least 10 popular mobile payment apps for Android and iOS.
Bluebox Security decided not to reveal the names of offending apps to protect individual shoppers using them from attack. Instead, the report focused on the types of flaws found.
Consumers may not realize “they are opting for the convenience of on-the-go payments over the security imparted by traditional methods like cash or checks, ultimately putting their dollars at risk,” said Andrew Blaich, lead security analyst at Bluebox Security.
In every app reviewed, security was “remarkably basic.” The apps in the study lacked enterprise-grade protections to safeguard financial transactions. For example, none of the apps had antitampering controls to prevent payments from being manipulated. None of the apps encrypted data written to disk, meaning authentication data, transaction history, and other personal information was readily available to attackers with access to the device.
Bluebox Labs selected and tested five payment apps available for both Android and iOS. Two were peer-to-peer payment apps used to send monetary gifts to friends and family, and three were one-click merchant apps from leading retailers. The apps were selected based on searches for top mobile payment apps and app store rankings. Bluebox also ran the apps on both jailbroken and nonjailbroken devices to understand how that affected overall security.
“Our starting hypothesis was that mobile apps handling financial information would have more rigorous security compared to other mobile apps, but our research uncovered the opposite,” Blaich said.
iOS is typically viewed as being more secure than Android and less at risk for malicious apps. When it comes to payment apps, however, the security of Android and iOS apps are roughly equivalent. They both made mistakes.
Every app was vulnerable to tampering that would allow funds to be routed from the user’s account to one controlled by the attacker. Any attacker with minor skill and access to the app from an app store can modify the app, including adding malware/spyware into the original code, and none of the payment apps examined in the study had any code integrity checks. This is troubling, considering that P2P payment apps are not FDIC insured; if the money gets lost, there is no consumer protection.
Bluebox Security found one good security practice: One of the apps used certificate pinning to protect data in transit to its cloud servers. Certificate pinning helps mitigate man-in-the-middle attacks. However, since the app did not have antitampering controls, attackers would be able to disable certificate pinning.
Only two Android apps obfuscated code. None of the iOS apps did. Obfuscation “should be a standard practice across all payment apps,” Bluebox Security said. Three Android apps and three iOS apps had debug and admin messages still turned on, which is another basic developer mistake.
Organizations are making the same security errors in their rush to get apps to market, regardless of the industry they are in, Bluebox Security found. On average, three-quarters of the app code came from third-party code libraries. This makes sense since developers rely on third-party code to speed up the development lifecycle. However, the libraries aren’t regularly secured and vetted, exposing the payment apps to possible breaches.
As organizations increasingly rely on mobile app revenues, they need to take greater precautions to protect mobile payments. Data breaches would affect their customers and damage the company brand, Bluebox noted.
An estimated 270 million consumers will shop online this holiday season. What’s striking is that shopping on mobile devices will overtake desktops, with mobile devices driving 29 percent of online sales on Thanksgiving Day, Adobe said in its 2015 Digital Index Online Shopping Prediction. Attackers can take advantage of security mistakes pervasive in popular payment apps to target consumers and enterprises.