Introduction and Context
This blog provides a snapshot of mobile app security in Financial Services based on an extensive study performed by Osterman Research and published in the Approov-sponsored report “The State of Mobile App Security in 2022”, in July this year.
A second blog released today provides the same level of information and analysis of the security of mobile apps in Healthcare.
In a follow-up to the research issued in the report, Osterman Research has issued new mobile app security findings by sector for Healthcare and Financial Services.
The findings reveal both the growing dependence of each sector on mobile apps, and some sector-specific gaps between the strategic importance of mobile apps and the attention and resources allocated to protecting mobile apps against runtime threats.
The findings were based on a survey of 302 security directors and mobile application development professionals in the US and UK who identified as being employed in Tech, Financial Services, Healthcare or "other" sectors. The original report and a 30 minute video summarising the findings are available here.
All sectors saw a sudden mass migration to online services in the last 2 years and in general, mobile apps have rapidly become business-critical, with their importance across industries tripling in the last 2 years - they are expected to become even more essential by 2024 - 92% of respondents say they will be critical to the business by then.
Financial Services Specifics
Financial services is a dynamic market which continually introduces new innovative products and services to a growing mobile population. These new business models can sometimes be challenging to implement in a way that provides great customer service and a completely secure interaction.
There has been much talk of “bank-grade security” but unfortunately, the Osterman findings lead to the conclusion that the financial sector has a certain level of complacency with respect to security.
This is concerning since you could argue that this is the sector that has most to lose if a breach occurs.
In Financial Services, Osterman found that the assessment of mobile apps as critical to operations jumped five times in this sector in the 2 year period. In 2020, 15% of organizations considered mobile applications as critical to business operations, but 81% of respondents reported mobile apps as critical to the business in 2022.
In the Tech sector, on the other hand, mobile apps were considered critical to line of business operations in 2020 by 68 percent of respondents. In 2022, 86 percent of Tech respondents cited mobile apps as critical to their organization's business.
Michael Sampson, senior analyst, the author of the report, senior analyst at Osterman Research said,
“The technology vertical adopted mobile apps earlier but over the last 2 years, other verticals such as Financial Services and Healthcare have been scrambling to catch up''.
A rapid rate of change in the criticality of mobile apps inevitably puts pressure on organizations to rush new features to market and this is reflected in the findings.
In Financial Services, 46 percent of respondents indicated that their organizations prioritized bringing new features to market over fixing known insecurities.
Michael Sampson, says, “This dynamic environment unfortunately seems to lead to a situation where new features are prioritized over security. This is seen clearly in Financial Services , the industry with most at stake, where a high percentage of respondents indicated weak security practices.”
There are particular security issues in Financial Services highlighted in the report:
- Almost half (46 %) of respondents in Financial Services feel they do not communicate security policies effectively to developers, vs only 17 percent in Tech and a statistically insignificant percentage in Healthcare.
- The same number (46 %) of Financial Services respondents believe their organizations don't have the right levels of security skills, whereas only 12 percent of respondents surface this issue in the Tech sector.
- 77% of respondents in Financial Services had no visibility to data stolen from APIs by scripts using stolen API keys i.e. more than 3 times worse than the visibility to this issue which was reported in Tech.
- Another example is “fake account creation” where twice as many respondents in Financial Services reported poor visibility (69%) than in Tech.
- 81% of Financial Services respondents reported no visibility to the impact of false positives from security solutions on customer experience. This was far higher than Tech (44%) and Healthcare (63%). A cynic might suggest that it is because security deployments are limited.
In Summary
The last few years have seen rapid innovation in Financial Services products and offerings, both from existing institutions and Fintech startups. However, findings from “The State of Mobile App Security in 2022” show that now, Financial Services companies must augment security before a major breach occurs.
More security discipline around development practices for building mobile apps and APIs is essential in this vertical, as is a comprehensive approach to protecting API keys and other secrets. In addition, a run-time security strategy must be put in place to protect misuse of stolen credentials if and when they are stolen.
Learn more about Approov in Financial Services here and learn how a free 30 day trial would help you gain visibility to mobile app threats here.