Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Apr 16, 2019 — Application Security expert

Vulnerability Epidemic in Financial Mobile Apps - Episode 7 [Video]

Application Security


What should we do?

So what should consumers be doing? Should I be removing every single--


--financial app from my phone?

Switch to a typewriter and move to--cans and strings.

No, I think that consumers need to be aware of the threat and not-- I think consumers need to think about it differently and realize that with convenience comes costs.

Let's be honest, security is a balancing act between convenience and security. Do you make your employees change their password every week and make them write it down, because it's too complicated? Or do we ease those controls and that password strength requirement, and give them something, the ability to actually memorize their password? It's a juggling act.

And unfortunately, convenience with humans will always win. Which is why humans are the weakest link in security.

I think Joe consumer or Jane consumer needs to understand that these threats are there. And be cognizant of the things that they can control in their environment. I don't think they should stop doing this. Because at the end of the day, if you're banking, and let's say they're using one of these apps that I removed, at the end of the day, the bank will cover you.

If your malware-- if malware scrapes your creds, or scrapes money, and automatically transfers it out of your account, like with that PayPal malware, the bank will cover you. So I think it's just being aware-- what wireless access points are you connected to? Are you in control of that web? How much are you doing at Starbucks? It's just thinking before you do things, and realizing that there's always someone there looking and watching, always.

Yeah, so any tips, based on what you saw. You're keeping a few of the apps that you have. You left some.

Yes, so let's just say this. This is my million dollar statement from the outcome of my research. This solution is not a vitamin, it's a pill. This is not a nice to have. This is a need to have. And it's really-- I think, it's educating the market that this is a real problem. Why haven't they been trying to solve it? And they need to figure out-- they need to figure out how to do it. Because if it's not a focus or target for many hackers out there, it will be very quickly, especially as more data like this gets published. They're going to realize that it really is that new, soft gooey interior that they can go after.

So Aaron, should companies be trying to be not the easiest thing?

The funny story there is, how do you escape a bear attack? It's by being faster than one of your friends. But in all cases, I guess my tip is-- I use the Reading Rainbow philosophy, don't take our word for it. None of the techniques that are talked about in the research, none of this, is at the level that a nice afternoon of coffee, and/or other things, and taking a look at what your enterprise's app actually has in it. Download it, open it up, take a look. If there's anything that you recognize, there probably shouldn't be that in there. And so, I think the thing that I want to say is that, this really is not inaccessible, in terms of being able to look through what your enterprise has, an externally facing entity. And so, once you have identified what those assets are, then it's a conversation on how you secure them.

Yeah, and I've been walking around RSA, and I see machine learning, and artificial intelligence, and all of these very advanced concepts that are very exciting, and lots of colors, but it sounds like it really comes down to sort of practical application of security.

Well, thank you, guys. Thank you all for being here. This was this was enlightening. I think I may be removing at least one of my apps right after this and contacting my bank to find out what they're going to do about it. But thank you very much for your time and for the research.

And thank you.


Thank you.



More from the Blog

View more
Jan 18, 2022

Be aware or beware: Easily insert security into your mobile apps

Application Security
COVID-19 has quickly pushed companies over the technological tipping p ...
Read More
Dec 23, 2021

Using machine learning to detect malicious packages

Application Security
Staying up to date with new technology in today’s advanced digital age ...
Read More
Dec 17, 2021

Log4j: Not the Vulnerability We Want, and Not the Vulnerability We Need

Application Security
Log4j is the reminder we didn’t need: the reminder that vulnerabilitie ...
Read More
Apr 29, 2021

Why better security means better products

Application Security
Over the past 15 years, businesses have learned a lot about the value ...
Read More
Contact Us