Twenty percent of the tested apps hadn't been compiled with Position Independent Executable (PIE) and Stack Smashing Protection enabled, features that are designed to mitigate the risk of memory corruption attacks.
Sanchez didn't name any of the banks whose applications were found to be vulnerable, but he said some of them had been notified of the findings. A map shared by Sanchez suggests the tested apps have a global distribution, belonging to banks that operate in North America, South America, Europe, Africa, the Middle East, Asia and Australia.
"Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms," Sanchez said. "As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions."
Based on his findings, Sanchez made some recommendations for developers of mobile banking apps, such as ensuring all connections are made using secure transfer protocols; enforcing SSL certificate validation; encrypting sensitive data stored by the applications by using the iOS data protection API; improving jailbreaking detection; obfuscating the assembly code and using antidebugging techniques to slow reverse-engineering attempts; removing debugging statements and information and removing all development information from the final products.
Sign up for Computerworld eNewsletters.