Mobile apps are a great way to reach the exploding population of smartphone and tablet users, as an increasingly large number of financial services firms have been discovering. But distributing these apps to the public opens those firms to a new set of risks.
Many mobile apps are distributed through third-party app stores, which are often not secure. The resulting exposure can put a service’s brand and reputation at risk -- not to mention the financial account credentials of its users, leaving the contents of their accounts vulnerable to cyberthieves.
Low security awareness
According to a recent survey by Osterman Research, 40% of financial services offer one to five apps to their customers, another 26% offer between six and 20, and 10 percent actually offer more than 20. (The rest offer none.) The average was 3.1 per firm, versus 2.5 per firm in other industries. Yet, the same survey found that a clear majority of app managers for financial services were unaware of the security issues involved in third-party app stores: 25% said they were unaware and 32% said they were slightly aware. Otherwise, 18% said they were somewhat aware, another 18% said they were pretty aware, and only 7% said they were very aware.
The problem with app stores is that, in many cases, their content is not policed, and malware can be posted there as readily as legitimate apps. For financial services (and other legitimate enterprises with mobile apps) this opens the door to copycat and stolen apps.
Fake apps abound
Copycat apps will look like legitimate apps, but have been repackaged to include malware that may facilitate spam, generate unwanted advertising, send for-fee SMS messages that run up the user’s bill, modify search results to send the users to paid advertisers, or steal the users’ login credentials so the hackers can drain the victim’s financial accounts. A survey by RiskIQ covering more than five million mobile apps indicated that 90% of leading brands have seen their apps copycatted.
Similarly, stolen apps are an issue for owners who rely on them for revenue. On un-policed sites they can be pirated, with revenue from the sales going to the pirates rather than to the legitimate owners. Pirated software, meanwhile, is often repackaged with the same kind of malware seen with copycatted apps.
Beyond the immediate negative impact on users, their mobile devices, and their financial accounts, network security can also be compromised when they log in using their infected devices. The resulting exposure of personal financial information and protected health information can result in violations of the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Payment Card Industry’s Data Security Standard (PCI DSS), and other laws and regulations intended to protect privacy. The likelihood of an infection being passed on is very real: Osterman Research found that 36% of mobile users employ their primary mobile device to share content with partners, customers and prospects; while 97% use their device to check email.
Malware is rampant
Furthermore, malware is usually found on apps running on the Android operating system. In fact, a survey conducted by the US Department of Homeland Security and the FBI found that 79% of mobile malware was on Android devices, with much of the rest running on Symbian devices. However, Android devices now represent the bulk of the smartphone market.
Meanwhile, the problem is clearly not going to go away by itself. Smartphone subscriptions are growing at a compounded annual rate of 25% and should reach 4.5 billion in 2018, says Erickson Mobility. Tablets and other mobile devices are growing at a rate of "only" 20%. Pew Research has found that half of mobile phone users download applications, making it the fourth most popular activity for users of mobile devices.
The answer to these security threats is continuous monitoring and management. App stores must be scanned for possible copycatted or stolen apps, or other rogue or malicious apps that could target its users. Unfortunately, this is often overlooked or not done thoroughly.
Osterman Research found that 21% of financial services firms never performed such scanning. Another 29% did it, but less than quarterly. As for the rest, 4% did it quarterly, 7% did it monthly, 21% did it weekly, and 18% did it daily.