As mobile devices continue to replace legacy hardware across organizations and industries, it is critical that security remains top-of-mind and is embedded within the mobile application (app) development lifecycle. With this in mind, Accenture and NowSecure collaborated to analyze the mobile threat landscape, specifically for customer-facing mobile banking apps. View this infographic to learn more. To download the full report, visit https://accntu.re/2phPPIB

1. THE MOBILE
ATTACK SURFACE
Copyright © 2017 Accenture
All rights reserved.
Accenture, its logo, and
High Performance Delivered are
trademarks of Accenture. 172091
SECURITY
CHALLENGES
FOR BANKS
According to analysis and estimates by NowSecure, Inc. (NowSecure):1
The proliferation of mobile devices,
applications (apps) and operating systems
continues to drive innovation and expand the
mobile ecosystem. However, this continued
expansion may also create unique security
risks around the storage and transmission of
sensitive information via mobile devices.
ATTACK SURFACE: THE DEVICE ATTACK SURFACE: THE NETWORK
ATTACK SURFACE: THE DATA CENTER
• Wi-Fi (No Encryption/Weak Encryption)
• Rogue Access Point
• Packet Sniffing
• Man-in-the-Middle (MITM)
• Session Hacking
• DNS (Domain Name System) Poisoning
• SSL (Secure Sockets Layer) Strip
• Fake SSL Certificate
WEB SERVER
• Platform Vulnerabilities
• Server Misconfiguration
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (XSRF)
• Weak Input Validation
• Brute Force Attacks
DATABASE
• SQL Injection
• Privilege Escalation
• Data Dumping
• OS Command Execution
BROWSER
• Phishing
• Framing
• Clickjacking
• Man-in-the-Middle
• Buffer Overflow
• Data Caching
PHONE/SMS
• Baseband Attacks
• SMishing
MALWARE
SYSTEM
• No Passcode/
Weak Passcode
• iOS® Jailbreak
• Android™ Rooting
• OS Data Caching
• Passwords and
Data Accessible
• Carrier-Loaded
Software
• No Encryption/
Weak Encryption
• User-Initiated Code
APPS
• Sensitive Data
Storage
• No Encryption/
Weak Encryption
• Improper SSL
Validation
• Config Manipulation
• Dynamic Runtime
Injection
• Unintented
Permissions
• Escalated Privileges
There are three areas in the mobile technology chain where
parties may exploit vulnerabilities to launch malicious attacks;
the device, the network and the data center.2
FOR MORE INFORMATION, VISIT:
Accenture Finance and Risk:
www.accenture.com/financeandrisk
Accenture Security:
www.accenture.com/us-en/security-index
REFERENCES
1. Secure Mobile Development Best Practices,” NowSecure. Access at:
https://www.nowsecure.com/ebooks/secure-mobile-development-be
st-practices/.
2. Ibid
3. Mobile Banking Applications: Security Challenges for Banks,
Accenture and NowSecure, April 2017.
Copyright © NowSecure, Inc. All rights reserved.
The NowSecure name and logo are trademarks of
NowSecure, Inc. and are used with permission.
Rights to trademarks referenced herein, other than
Accenture trademarks, belong to their respective
owners. We disclaim proprietary interest in the
marks and names of others.
35 PERCENT
of communications sent
by mobile devices are
unencrypted and the average
device connects to over
160 unique IP addresses daily.
As mobile devices continue to
replace legacy hardware across
organizations and industries, it
is critical that security remains
top-of-mind and is embedded
within the app development
lifecycle. With this in mind,
Accenture and NowSecure
collaborated to analyze the
mobile threat landscape,
specifically for customer-facing
mobile banking apps.
ONE IN FOUR
mobile apps include at least
one high-risk security flaw.
43 PERCENT
of mobile device users do
not use a passcode, PIN or
pattern lock on their devices.
TOP SECURITY
RISKS FOR MOBILE
BANKING APPS
To assess the security of mobile banking apps against fraud and
penetration attempts, static and dynamic analysis was performed
using the NowSecure Lab Automated tool. The vulnerability
assessment included customer-facing mobile banking apps from
15 unique North American financial institutions on both iOS® and
Android™ operating systems (30 total apps).
All apps included in scope were publicly available and downloaded directly from
the respective online app stores. A total of 780 tests were performed across the
apps in scope. Overall, every app tested had at least one security issue.3
The top
risks identified appear below.
Applications running on
Android™ Operating System
Applications running on
iOS® Operating System
WORLD-WRITABLE FILES
CVSS 7.7 – 33%
WRITABLE EXECUTABLES
CVSS 7.7 – 7%
BROKEN SSL (SECURE SOCKETS
LAYER) & SENSITIVE DATA IN
TRANSIT (WITH ENCRYPTION)
CVSS 7.4 – 13%
OBFUSCATION
CVSS N/A – 60%
SECURERANDOM
CVSS 5.5 – 73%
COOKIE “HTTPONLY” TAG
CVSS 5.3 – 40%
TLS (TRANSPORT LAYER
SECURITY) TRAFFIC WITH
SENSITIVE DATA
CVSS 1.6 – 80%
APP TRANSPORT SECURITY
CVSS N/A – 60%
DYNAMIC CODE LOADING
CVSS 4.3 – 33%
IMPACT VULNERABILITY SCALE:
Low
Medium
High
BANKING
MOBILE
APPLICATIONS
EMBEDDING
SECURITY IN MOBILE
DEVELOPMENT
LIFECYCLE
The mobile development field is a complex environment that is
constantly evolving, which creates a hyper-dynamic environment
for developers. These complexities often increase the attack surface,
with mobile devices constantly challenging the boundaries of an
organization’s security perimeter. Mobile apps should, at a minimum, be
developed with the same security standards as any other software asset.
Accenture has identified key principles to help organizations develop a comprehensive
program for embedding security throughout the enterprise’s mobile lifecycle.
Developing a strategy, grounded by six (6) key principles, allows banks to proactively
address security vulnerabilities throughout the mobile development lifecycle and
promote informed decisions around security risks.
Leading organizations recognize the expansion of mobile technologies within their
enterprise and proactively seek ways to securely integrate them to further enable
their workforce and achieve business goals by:
4. Understanding the impact
across the organization
and the processes needed
to support it.
2. Identifying the resources
and systems that are affected
by the introduction of mobile
technologies.
3. Selecting the technologies
and implementing controls to
meet requirements defined
by business needs as well as
compliance requirements.
1. Developing a mobile
security strategy to properly
integrate with the overall
security and business strategy.
1. DEVICE 2. NETWORK
3. DATA 4. APPLICATION
5. USER ACCESS 6. GOVERNANCE & COMPLIANCE
TOP RISKS IDENTIFIED AND CVSS
COOKIE “SECURE” TAG
CVSS 5.3 – 54%
CVSS: Common Vulnerability Scoring System