You might figure the biggest U.S. banks would have some of the most secure mobile apps. Spoiler alert: not so much.
New findings from security firm Zimperium, shared exclusively with TechCrunch, say most of the top banking apps have security flaws that put user data at risk. The security firm, which has a commercial stake in the mobile security business, downloaded the banks’ iOS and Android apps and scanned for security and privacy issues, like data leaks, which put private user data and communications at risk.
The researchers found most of the apps had issues, like failing to adhere to best coding practices and using old open-source libraries that are infrequently updated.
Some of the apps were using open-source code from GitHub from more than three years ago, said Scott King, Zimperium’s director of embedded security.
Worse, more than half of the banking apps are sharing customer data with at least one advertiser, the researchers said.
The researchers, who didn’t name the banks, said one of the worst offending iOS apps scored 86 out of 100 on the risk scale for several privacy lapses, including communicating over an unencrypted HTTP connection. The same app was vulnerable to two known remote bugs dating back to 2015. The researchers said the risk scores for the banks’ corresponding Android apps were far higher. Two of the apps were rated with a risk score of 82 out of 100. Both of the apps were storing data in an insecu