As Americans prepare for the spending bonanza that is Black Friday and Cyber Monday, many will choose to use mobile payment apps. However, according to Bluebox Security, many of those consumers might want to think twice about doing so, as security in at least 10 popular apps across Apple iOS and Google Android isn’t what it should be.
The 2015 Payment App Security Study, authored by Bluebox Security, found that none of the payment apps examined encrypts data stored on users’ devices. In addition, Bluebox found that all of the apps it examined are at risk from tampering that could potentially enable an attacker to reroute funds.
Bluebox Labs selected and tested five apps on Android and the same five on iOS, according to Andrew Blaich, lead security analyst at Bluebox. Bluebox selected the apps based on searches for the top mobile payment apps and rankings from the app stores. All apps were run on a combination of jailbroken and non-jailbroken phones to fully understand how secure the apps are. While Bluebox is reporting that there are flaws in mobile payment apps, it is not disclosing the names of the apps themselves.
“The purpose of this research is to bring to light the issues present in payment-related mobile apps so enterprise security teams can reassess the protections they have in place and remediate any flaws that may leave their users vulnerable,” Blaich told eWEEK. “We have decided not to release the specific names of the mobile payment apps in order to protect users of these apps from being exploited and to avoid distracting from the larger message to developers and enterprise security teams around the need for more stringent application security.”
While Android malware tends to dominate the mobile security headlines, when it comes to mobile payment apps, the security of Android and iOS ones is roughly equivalent, according to the Bluebox analysis.
“The iOS apps and Android apps were both on par with the amount—or lack of—security they contained,” Blaich said. “Neither platform was more secure than the other.”
Bluebox Security is a vendor of mobile security technologies intended to help enterprises secure mobile apps. Blaich noted that as part of the investigation into mobile payment apps, Bluebox researchers used a combination of tools, including smali/baksmali, IDA and mitmproxy as well as some custom tools that Bluebox has developed for internal use.
One particular area of mobile security focus in recent years has been the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) to properly encrypt data transmission. In 2014, security vendor FireEye found that 68 percent of the top downloaded free apps from the Google Play store had some form of SSL/TLS-related risk. The Bluebox study did not specifically focus on the SSL/TLS risk in mobile payment apps, though it does provide some visibility into the use of self-signed SSL/TLS certificates. Self-signed certificates represent a potential risk as they are not validated by a third-party certificate authority (CA).
“As the scope of the research focused on the app-level security and the channels it creates to the back end, we didn’t look into the server-side settings specifically,” Blaich said. “However, none of the payment apps we investigated used a self-signed server certificate, but we have encountered mobile apps that do use a self-signed certificate and include the certificate with their app in order to validate the server.”
As to why security is lacking in mobile payment apps, Blaich said security has always been an afterthought in the development process for most developers and companies.
“The focus largely in the mobile industry is to have a visually appealing app that can do what it needs to do, and if a security problem comes up, then they’ll figure a way of fixing it later,” he said. “However, security needs to be integrated early in the development process with threat modeling occurring at each step of the way to determine what is and is not a risk factor to ensure that the security gets built properly.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.