Are Mobile Pay Apps Missing Security Controls?

Shutterstock

Consumers planning to use their mobile payment apps this holiday shopping weekend might be given pause by a recent report on the security of those apps.

Bluebox Security has released the results of its 2015 Payment App Security Study, which indicates (via eWeek) that, of the 10 payment apps examined — five on iOS, five on Android — none of them encrypts data stored on users’ devices, while all are at risk of tampering by cybercriminals.

While Bluebox — a vendor of mobile security technologies that seeks to help companies secure mobile apps — does not name the specific apps in its report, Andrew Blaich, the company’s lead security analyst, told eWeek that the selections were based on searches for the top mobile payment apps and rankings from the app stores.

“The purpose of this research is to bring to light the issues present in payment-related mobile apps so enterprise security teams can reassess the protections they have in place and remediate any flaws that may leave their users vulnerable,” Blaich told the outlet. “We have decided not to release the specific names of the mobile payment apps in order to protect users of these apps from being exploited and to avoid distracting from the larger message to developers and enterprise security teams around the need for more stringent application security.”

“The iOS apps and Android apps were both on par with the amount — or lack of — security they contained,” he continued. “Neither platform was more secure than the other.”

“As the scope of the research focused on the app-level security and the channels it creates to the back end, we didn’t look into the server-side settings specifically,” Blaich went on to state. “However, none of the payment apps we investigated used a self-signed server certificate, but we have encountered mobile apps that do use a self-signed certificate and include the certificate with their app in order to validate the server.”

Blaich offered a theory to eWeek as to the apparently insufficient security in mobile payment apps, telling the outlet that it has never been a priority in the development stages for most developers and companies.

“The focus largely in the mobile industry is to have a visually appealing app that can do what it needs to do, and if a security problem comes up, then they’ll figure a way of fixing it later,” he remarked. “However, security needs to be integrated early in the development process, with threat modeling occurring at each step of the way to determine what is and is not a risk factor to ensure that the security gets built properly.”