Most of today's top mobile payment apps are not protected enough to handle the amount of scrutiny and effort cyber-criminals are normally willing to put into compromising payment systems, shows a recent report by Bluebox.
The company studied ten of the most popular mobile payment apps, ranging from mobile wallet apps (e.g., Apple Pay, Google Wallet, Samsung Pay) to one-click payment merchants (e.g., Amazon, BestBuy, Target), and from peer-to-peer payment apps (e.g., Venmo, Square Cash, SnapCash) to regular apps that link themselves to banking accounts (e.g., Dash, Uber, Lyft).
According to Bluebox, three big issues were identified. The first is related to improperly protected communication channels that would allow attackers to redirect payments to an attacker's desired location. The second issue has to do with the third-party code included with these apps, which makes in general 75% of an app's code. If this code is "just included" in mobile payment apps without going through proper security checks, problems in third-party libraries could easily trickle down to payment solutions.
Mobile app payments solutions are not ready for prime time
To make things worse, in the case when a device was compromised, none of the apps analyzed by the Bluebox team encrypted data that they stored on disk. This meant that, once the device was hacked into, all financial-related information stored inside these apps was ready for the taking.
Bluebox says that all apps they studied were easily compromisable through at least one of three attacks: dynamic runtime attacks, attacks by intercepting traffic, and attacks by manipulating the app's code. The study's results are worrying, especially since Black Friday and Cyber Monday are just around the corner. With many companies like Google, Apple, or Samsung pushing for mobile-based payments systems to take off, cyber-criminals will follow the money and start turning their attention to these new payment systems.