Many financial institutions have successfully adapted to the mobile-first world. Customers can perform common banking transactions, check accounts and even apply for loans conveniently through mobile apps. Bank of America alone has over 30 million mobile banking users, and Insider Intelligence’s Mobile Banking Competitive Edge Study found 89% of all respondents use mobile banking.

While traditional banking continues to thrive, fintech and insurtech mobile apps grow more popular by the day. So much so that Brainy Insights expects the global fintech market will reach USD 936.51 billion by 2030. Brands like CashApp, Marshmallow, Chime and other popular fintech and insurtech brands complement traditional banking options by offering similar services with greater simplicity. These financial services businesses seem to have a great deal in common, but their mobile apps contrast in security.

Financial services businesses understand the importance of maintaining customer confidence and regulatory compliance, so users might assume banking & finance mobile apps rank among the most secure. Yet a recent benchmark data analysis from NowSecure found legacy banking & finance mobile apps contain severe security issues that put customer money and data at risk, while fintech and insurtech mobile apps rate much higher.

Methodology

In late 2022, NowSecure evaluated over 5,500 Android and iOS mobile apps in 13 industry verticals, including banking & finance, fintech & insurtech, airline, automotive, energy, Gig Economy, healthcare, high tech, Internet of Things (IoT), pharma, retail, social media and travel.

NowSecure analyzes mobile apps using the NowSecure Platform automated mobile application security testing engine. The engine runs more than 600 automated tests to find security and privacy issues that impact mobile users and mobile businesses. These tests run against the Open Web Application Security Project (OWASP) Mobile Application Security Verification Standard (MASVS) as a baseline to determine the level of security in mobile apps.

After testing, a scoring algorithm calculates the risk of the mobile apps (0-100) like school grades. Mobile apps scoring 90 and above equate to an A, 80-89 a B, 70-79 a C, 60-69 a D and anything below 60 merits an F. Mobile apps that earn an A or B are low risk, those in the C and D groups require caution and those with an F present a high degree of risk.

The results

According to the results of the analysis, banking & finance mobile apps rank among the least secure across all 13 industries. 99% of 726 banking & finance mobile apps have one or more security risks that fail the OWASP MASV, and 61% leak personally identifiable information. This category experienced an 11% risk score drop from 2021 to 2022, falling to an average score of 66 (D).

Despite the fact that fintech & insurtech companies lack the same economic resources as financial institutions, their mobile apps have stronger security and privacy. 96% of 125 fintech & insurtech mobile apps have one or more security risks that fail the OWASP MASVS. However, only 50% of mobile apps leak personally identifiable information, receiving an average security score of 73% (C).

Some of the most common issues found between both categories of mobile apps include weak cryptography, insecure data storage, insecure network communications and dangerous permissions. Other common issues include data leakage over networks, personal data exposure and insecure geolocation data.

Preparing for a mobile-first future

It may seem surprising that traditional banking & finance mobile apps have higher security risks compared to fintech and insurtech mobile apps. But many traditional banking & finance businesses still rely on legacy infrastructure while undergoing digital transformation. Some financial institutions integrate their mobile apps with legacy systems, and those systems may lack the modern security features needed to protect users in the current threat landscape. Conversely, fintech & insurtech businesses launch as mobile-first businesses and develop their mobile apps typically with security built in using modern technology.

Mobile activity currently dominates online traffic by a wide margin over web activity, and threat actors now spend their time searching for vulnerabilities within mobile apps to exploit users and their data. These criminals also know that many organizations may have weak code and use outdated mobile app infrastructure, increasing their chances of landing a successful hack. Traditional banking & finance companies have a responsibility to digitally transform outdated infrastructure to protect customer assets and prevent threat actors from damaging their brand reputation.

Financial business leaders should encourage development teams to learn secure coding techniques to build a secure mobile app from the start, and promote continuous security testing throughout the entire development lifecycle. What’s more, to show that these companies are safeguarding user trust, they should get an independent security review for their Google Play Data Safety section. As mobile activity continues to rise, banking & finance and fintech & insurtech companies need to continuously monitor and improve their mobile app security to protect customers in the evolving threat landscape.