Mobile payment apps have revolutionized financial transactions, making them more seamless and convenient. Experts predict a significant growth in digital wallets, with over 4.8 billion users by 2025 and transaction values exceeding $16 trillion by 2028. However, as the use of these apps grows, so do concerns about security.
Cyber threats are on the rise, and safeguarding user data and transactions is becoming a top priority for service providers. In this blog, we dive into an analysis conducted by Promon, a Norwegian app security firm, which assessed the security of 73 of the world's most-used payment apps and their ability to thwart common malware-style screen reader attacks.
Payment App Security Evaluation
To determine the security of top payment apps, Promon employed a screen reader similar to those used against major financial services apps. Their objective was to assess whether these apps could withstand simulated attacks aimed at retrieving sensitive information. The analysis revealed some concerning findings:
77% of the payment apps tested lacked sufficient protection against screen readers. This deficiency raises significant security concerns.
In 8.2% of the apps, the screen reader successfully logged the username during the simulated data exfiltration attack. Fortunately, the password remained secure in these cases, but it highlights a partial vulnerability.
Only 4.1% of the apps demonstrated robust defense mechanisms against the screen reader's attempts to access and log user data, effectively thwarting both username and password retrieval.
Surprisingly, 10.9% of the apps lacked a conventional login page, making them impervious to data exfiltration attempts via screen readers. While this can be seen as a security advantage, it also raises concerns about user convenience and functionality.
Security Implications
Benjamin Adolphi, Head of Security Research at Promon, expressed serious concerns about the findings. He highlighted the risk of sensitive information theft, including passwords and credit card numbers, as well as the interception of 2FA codes and potential device control by malicious actors.
Adolphi noted that many app developers seem to prioritize security as an afterthought, putting users' sensitive information at risk.
Enhancing Security
Developers can take several steps to enhance the security of their mobile payment apps:
Implementing App Shielding technology can significantly improve security against malicious screen readers.
Developers can detect active screen readers within their apps, but this approach has some limitations. Warning messages can be bypassed by malware with accessibility features, and ignoring screen readers may expose users to risks. Moreover, shutting down the app can hinder accessibility and potentially lead to legal issues.
Combining new OS features, like those promised by Android 14, with robust app-level defenses is crucial for comprehensive user protection. Android 14 aims to prevent accessibility service abuse, allowing developers to restrict interactions with specific Views to declared accessibility tools like TalkBack.
Key Takeaways
-Mobile payment apps play a crucial role in financial transactions, with projections indicating 4.8 billion digital wallets and transactions exceeding $16 trillion by 2028.
-Escalating cyber threats have made security a pressing concern. Promon's examination of 73 leading payment apps disclosed that 77% of them were inadequately shielded against screen readers.
-Developers have the opportunity to bolster security by implementing measures like App Shielding and screen reader detection. Striking a balance between security enhancements is pivotal in safeguarding sensitive user data amidst the ever-evolving threat landscape.
Follow Us on Facebook
