Bluebox Study Finds Security Flaws In 5 Popular Payment Apps

Lack of Security Combined With Increased Mobile Use This Holiday Season Sets Stage for Mobile Breach.

November 25, 2015

6 Min Read


SAN FRANCISCO, CA--(Marketwired - Nov 24, 2015) - Bluebox Security®, the mobile app security and analytics company first to pioneer self-defending apps for consumers, BYOD employees and the extended enterprise, today released findings from its 2015 Payment App Security Study. Bluebox confirmed that insufficient security controls are surfacing across consumer mobile payment apps, including five of the most popular solutions for both Android and iOS devices. These findings, coupled with the fact that for the first time online purchases made on mobile devices will overtake desktop purchases1 this holiday season, mean mobile payment solutions are now a prime source of risk. As mobile payment apps grow in popularity this holiday season, pervasive security flaws have created easy avenues for attackers to compromise these mobile applications, putting consumers' hard earned dollars and enterprises' bottom line in peril.

As a follow up to its recent Travel Apps study,2 Bluebox examined mobile payment apps with expectations that security would be robust for mobile apps directly handling financial transactions. However, in every app reviewed, security was remarkably basic. It's not surprising -- 98 percent of developers polled by Bluebox have reported most mobile apps are moderately to highly vulnerable. Yet consumers are naively placing their trust and their dollars in these apps, as 69 percent of those polled by Bluebox were confident that the apps they use are safe from attack.3

Top Payment App Security Risks
Bluebox reviewed the top two peer-to-peer (P2P) payment apps that will be used to send monetary gifts to family and friends this holiday season and the top three one-click merchant apps from leading retailers. The analysis uncovered that these apps lack enterprise-grade protections needed to safeguard financial transactions and harbor vulnerabilities that require immediate attention to protect against hackers, including:

·         Where does the money actually end up? -- Every app examined was vulnerable to tampering that would allow rerouting of funds from a consumer's account to a hacker's account, without the consumer's knowledge. Anti-tampering controls are needed to secure the app and prevent the manipulation of payments, ensuring that consumer dollars end up in the hands for which they were intended.

·         Third-party code could unintentionally lead to breach -- On average, 75 percent of the code in the apps was from third-party code libraries, which are used by enterprises to speed up mobile app development. When not properly secured and vetted, these code libraries could easily contain the next widespread exploit like Heartbleed or Stagefright -- exposing payment apps to possible breaches.

·         Consumer info is ready for the taking -- None of the five apps encrypted data written to disk, meaning authentication info, transaction history and other personal information is fully visible to attackers once they've gained access to a device or app. Enterprises providing consumer-facing applications need to secure this information or risk damaging brand reputation when consumers find out their information is free for the taking.

Additionally, all of the apps investigated can be hacked in any one of these three increasingly popular attack vectors:

·         Attack on unmodified app -- The first method of attack does not require altering the app's code. An app could be installed from a legitimate public app store but if the device is compromised, an attack can still be carried out against the app.

·         Attack by manipulating code -- A second method is directly replacing the legitimate app with a modified app, like what was done with Masque attack. 

·         Attack by intercepting traffic -- The third method is intercepting the app's interactions with cloud services over Wi-Fi or cellular networks. 

"Our starting hypothesis was that mobile apps handling financial information would have more rigorous security compared to other mobile apps, but our research uncovered the opposite. As enterprises rush to get apps to market, we are discovering the same security errors from industry to industry," said Andrew Blaich, lead security analyst at Bluebox Security. "Enterprises need to ensure their apps can defend themselves and make security a seamless step in the development process."

Bluebox Security ensures enterprise-grade protection for any app, regardless of developer or operating environment. Once an app is secured, it becomes a self-defending app that protects app data, and defends against and responds to emerging mobile attacks -- providing visibility into threat incident and app usage to the enterprise. These safeguards are entirely invisible to the end user, preserving the native user experience while offering unparalleled protection. Bluebox's mobile analytic capabilities offer real-time insights into threats and allow for instant adaptation of policies to reduce risk.

What It Means for the Enterprise
In response to growing user demand for mobile purchasing, enterprises are expanding existing revenue streams to mobile by offering easy-to-use payment options. But poor security practices associated with these options can actually lead to lost revenue and long-term brand damage due to loss of consumer loyalty. To mitigate this risk, enterprises need to ensure that any payment services opened up to consumers are protected with enterprise-grade security measures, specifically ones that focus on the app layer and the data itself.

What It Means for Consumers
For consumers, the research study findings demonstrate the need to reevaluate if the convenience offered by mobile payments apps is worth the risk. Consumers should demand that enterprises take greater precautions in protecting their personal and financial data on their mobile apps -- and enterprises should listen if they want to retain their consumer base. The same recent Bluebox survey found that customer attrition could be a huge problem in the face of a breach. In fact, 80 percent of consumer respondents would cease being a customer if a company's mobile app were breached.4

Bluebox examined the same five apps from both the mobile payment space on Android and iOS for a total of 10 apps, using a combination of static and dynamic analysis. Two were the top P2P payment apps and the other three were top one-click merchant apps. Additionally, the research team compiled data from a larger selection of payments apps, revealing the shortcomings found in the five apps we reviewed are indicative of vulnerabilities that affect the larger pool of apps in the space. For further information, read the Bluebox blog on the results or view the white paper here.

Additional Resources

·         Follow Bluebox on Twitter @BlueboxSec

·         Subscribe to the Bluebox blog

·         Learn more at

About Bluebox Security
Founded in 2012 by a team of security experts, Bluebox Security provides the leading mobile app security and analytics solution. Pairing deep mobile security expertise with comprehensive analytics, Bluebox ensures consistent enterprise-grade app security moves at the speed of mobile. The cloud-based solution helps enterprises securely enable mobile by protecting apps, detecting threats, and responding quickly to keep data secure while providing actionable threat intelligence for mobile assets. With Bluebox Security, companies obtain security and visibility into the new enterprise endpoint -- the mobile app.


Media Contact
Nicole Plati
Highwire PR for Bluebox
415-963-4174 ext. 39
[email protected]

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights