Financial apps have access to valuable and sensitive personal data, so you would think mobile app security would be top-of-mind for financial institutions. But is it?
In early 2023, the Approov Mobile Threat Lab released results from an automated inspection of the top 200 financial apps in four countries in terms of downloads: US, UK, France and Germany. The full report is available for download here. There are, of course, thousands of finance apps deployed in every country, but the 650 unique apps that the team looked at cover millions of users and manage billions of dollars, euros, pounds not to mention the vast number of cryptocurrencies.
The team was looking at how well these apps hide secrets ("secrets" refer to sensitive information such as API keys, access tokens, usernames, passwords, encryption keys, and other credentials that are used to authenticate and authorize access to backend services and resources). These secrets are considered confidential and should be protected from unauthorized access, tampering, or disclosure. Some secrets are more useful to hackers than others, and the secrets that are the most useful of all are the API Keys used by mobile apps.
Secrets can be stolen in many ways. They can be taken from repositories, they can be exposed in app code or they can be intercepted when an app is running. Hackers can use them to access APIs, steal data and derail services. This research looked at what secrets could be extracted immediately as well as how well protected apps were at runtime.
This blog will briefly discuss the risks of exposing API keys and will describe the types of keys the team found directly in mobile app code. My next blog will look at how keys can also be stolen at runtime and will share what the team found about runtime exposure of the inspected apps.
Mobile App Security and API Keys
Mobile apps are now critical to most businesses and as confirmed by previous research sponsored by Approov (https://approov.io/news/osterman-report/), they often access dozens of APIs to do their job. Unfortunately mobile app code can be inspected, client environments can be manipulated - and APIs become a target for hackers.
Typically, when apps use an API, they sign up and get allocated a key. This identifies the app to the backend API and authenticates the app that's making the call so the API backend knows which particular app is making the request. This blocks any anonymous traffic and can be used to limit data requests.
It is sometimes argued that if valid user authentication tokens are required by the API then API keys don't actually need to be kept secret since they only identify the app and are secondary to user authentication. However, if obtaining a user login is easy, anyone, including attackers, can sign up and access APIs using stolen keys.
What can go wrong if API keys are exposed? The risk depends on the capabilities of the particular API whose key has been compromised. Recent examples show major data breaches via scripts using stolen API keys.
The Myth of Obfuscation
The team set out to evaluate what types of secrets could be extracted from code with an automated static analysis using readily available tools. Secrets were exposed in almost all of the apps that could be used to access a variety of backend APIs.
Despite many of the claims about improved cybersecurity awareness and better development and testing tools, most apps still expose secrets in their code. The scanners could see if obfuscation had been used on the code but unfortunately found that obfuscation techniques had little impact on the number or type of uncovered and extracted secrets. Obfuscation may discourage hobbyists, but not determined hackers.
Secrets found were classified into Low, Medium and High Value. Although Low Value Secrets are not “service-impacting”, hackers could still access these types of APIs and post incorrect and misleading data, undermining the quality of analytics, or causing support teams to waste time tracking down seemingly widespread phantom bugs.
High Value Secrets are those we consider extremely dangerous if exposed. Some examples: private keys, keys for payment or transfer services, and keys that included “authentication” or “attestation”.
Source: approov.io
Conclusion
In summary, 92% of the most popular Banking and Financial Services apps contained easy-to-extract API keys, which can be used in scripts and bots to attack APIs and steal data. Twenty three percent of the apps leaked extremely sensitive secrets. These results are disappointing to put it mildly - we all use apps to manage our finances and we must be able to trust our financial institutions.
The worst part of this is that there are better ways to protect API keys so that they are never exposed to hackers. For example, API keys can be stored on a secure server, and the mobile application can request them “just-in-time” at runtime. This way, the API keys are not hardcoded into the application and are not as easily accessible to attackers.
Download the full report to see detailed data, country by country, category by category, as well as detailed recommendations on how to better manage and protect secrets in mobile apps. The full report is available for download here.
In my next blog I will look at the second aspect of the report's findings: Just how exposed are these financial apps at runtime?