Positive Technologies has released its latest report, Vulnerabilities and Threats in Mobile Banking, revealing major flaws in mobile banking app security.
Experts analysed mobile banking applications and found half of mobile banks are vulnerable to fraud and theft of funds, with the server side accounting for more than half of all detected vulnerabilities.
None of the tested mobile banking applications had an acceptable level of security, with both client and server sides at risk. Client sides are especially vulnerable to unauthorised access to user data, as 43 percent of applications store important data on the phone in cleartext. The vast majority (76 percent) of mobile banking vulnerabilities can be exploited without physical access to the device. And more than a third of vulnerabilities can be exploited without administrator rights.
No flaws in iOS banking apps were worse than “medium” in severity. By comparison, 29 percent of Android apps contain high-risk vulnerabilities. The most dangerous vulnerabilities were found in Android applications and involve insecure deeplink handling. Developers on Android have more freedom of implementation, which explains the larger number of vulnerabilities in Android applications compared to iOS.
The server sides of mobile banking applications contain 54 percent of all vulnerabilities found and, on average, each mobile bank has 23 server side vulnerabilities. Almost half (43%) of banking applications contain server-side vulnerabilities in business logic, which attackers can exploit to obtain sensitive user information and commit fraud. Business logic errors may cause significant losses to banks and even lead to legal complications.
User credentials proved to be the most vulnerable data.
Positive Technologies analyst Olga Zinenko commented: “Banks are not protected from reverse engineering of their mobile apps. Moreover, they give short shrift to source code protection, store sensitive data on mobile devices in cleartext, and make errors allowing hackers to bypass authentication and authorization mechanisms and bruteforce user credentials. Through these vulnerabilities, hackers can obtain usernames, account balances, transfer confirmations, card limits, and the phone number associated with a victim’s card.”
“We urge that banks do a better job of emphasising application security throughout both design and development. Source code is rife with issues, making it vital to revisit development approaches by implementing SSDL practices and ensuring security at all stages of the application lifecycle.”
In 87 percent of cases, user interaction is required for a vulnerability to be exploited. Positive Technologies experts recommend that users avoid jailbreaking or rooting their devices, download applications only from official stores, avoid visiting suspicious websites or following dodgy links from SMS and chat messages, and always install the latest updates for OS and mobile applications.
If you would like to join our community and read more articles like this then please click here.
Post written by: Matt Brown
RELATED ARTICLES
February 10, 2026
Land - New report highlights cyber vulnerabilities
New research published today indicates that 53% of national security organisations in the UK and US still rely on manual
![Constellia has announced that it has been awarded the NVFi (Neutral Vendor Framework for Innovation (NVFi) [Award]) by the MOD to compliantly and transparently increase speed and value for money in digital and innovation procurement as part of the MOD’s procurement reform.](https://www.defenceonline.co.uk/wp-content/uploads/2024/09/shutterstock_2496403005-287x164.jpg)
February 10, 2026
Land - BAE Systems launches flagship incubator programme
BAE Systems has officially launched “Launchpad,” a flagship technology incubator designed to commercialise dual-use innovations by spinning them into independent
