Mobile Banking Applications Security Challenges

Creating worldwritable files is a security risk as it could allow other apps to have write access to files, leading to potential security gaps

Lack of proper certificate validation could result in sensitive data being intercepted via a man-in-the-middle attack. Especially on Android.

A writable executable file is not a vulnerability all by itself, but in combination with another issue could lead to additional app vulnerabilities and make the app susceptible to remote code execution. Android only.

Intellectual property could be at risk because these apps can easily be reverse-engineered

Apps which use the Oracle® Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android™ devices due to improper initialization of the pseudo-random number generator (PRNG).

Apps that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android™ are also affected.

Typically, core components and additional dependencies are loaded natively at runtime, however, dynamically loaded components are only loaded as requested

When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts.

When set to true, the "secure" flag tells the browser to only send the cookie if the request is sent using a secure channel.

Sending sensitive data without certificate pinning creates higher risk as an attacker with network privileges, or who has compromised TLS, is better positioned to intercept data

It is on by default when an app is linked to iOS® 9.0 SDK (Software Development Kit) or later.