• Sat. Oct 1st, 2022

Mobile banking apps allegedly leaked thousands of fingerprints

ByCindy J. Daddario

Sep 2, 2022

According to a report, five anonymous mobile banking apps using the same AI-based digital identity SDK may have leaked more than 300,000 biometric fingerprints. (opens in a new tab) by Symantec researchers.

Outsourcing an app’s digital identity and authentication component is a common development model according to researchers, as the complexity of providing different forms of authentication can be difficult for app developers.

But the approach failed spectacularly in this case because Amazon Web Services (AWS) cloud credentials were embedded in the SDK of banking apps that could allegedly expose private authentication data and keys belonging to to “all banking and financial applications” using the SDK.

What is the full extent of the vulnerability?

Additionally, using the vulnerable SDK, researchers were able to find users’ biometric fingerprints that were used for cloud authentication, as well as personal data such as names and birth dates.

Moreover, if Synametic’s claims are to be believed, the researchers were also apparently able to unearth the API source code and the AI ​​models used for the entire underlying operation.

But the problem goes deeper than five banking apps.

Researchers said more than 1,859 publicly available apps, including Android and iOS, contained AWS credentials.

While Android developers aren’t entirely blameless, research has found that over 97% of these vulnerable apps are iOS-based.

Of these applications, more than three-quarters (77%) contained valid AWS access tokens allowing access to private AWS cloud services and 47% contained valid AWS tokens which also granted full access to many, often millions , private files through Amazon’s Simple Storage Service (Amazon S3).

How can I prevent this?

The researchers have provided some tips on how to mitigate these types of vulnerabilities.

These included adding security scanning solutions to the application development lifecycle and, if using an outsourced vendor, requiring and reviewing “report cards” of the mobile application, which they believe can identify any undesirable behavior or vulnerability of the application for each version of a mobile application.

As an app developer, the researchers suggested looking for a report card that analyzes both SDKs and frameworks in your app and identifies the source of any vulnerabilities or unwanted behavior.