Appknox Research reveals 91% of Fintech Apps Fail Basic Security Tests

The unexpected and rapid switch from the global workforce to the WFH setup caused by the coronavirus pandemic has prompted companies around the world to make extensive infrastructure adjustments to support employees working exclusively from home. 

According to the new IDC forecast, the number of mobile workers in the US will steadily increase from 78.5 million in 2020 to 93.5 million in 2024 over the next four years.  

As the pandemic continues, cyberattacks are becoming increasingly common, not just in terms of number but also in terms of complexity. As a result, cyber-attacks threatened to be worth $ 5.2 trillion globally (estimates for 2019-2023), according to global consulting firm Accenture.

Executive Summary: 

As the United States finally opens a new chapter in the aftermath of the pandemic, the fintech industry has grounds for cautious optimism. The crisis has led many companies to adopt rapid digital transformation and new technologies and to abandon traditional methods that would have taken years.  

This report provides vulnerability analysis of the top 50 US fintech apps for Android versions, and some of the key findings are as follows.  

  • 90% of the applications failed basic security checks 
  • 48% of the applications had a CVSS score of 9 or more 
  • 92% of the applications had a CVSS score of 7 or more 
  • 86% had 46 vulnerabilities 
  • 81% of the Applications are losing data 
  • Almost three-quarters of high severity threats could have been blocked by application protection 
  • 42% of the applications were affected by insufficient code obfuscation 
  • 58% of the apps were affected by information storage in shared settings

Research Methodology: 

This research covers the 50 best Android-based mobile apps available in the US region. For reasons of comparability and analysis, only Android apps were selected.  

Why Did We Choose Fintech Apps?  

Fintech and banking are constantly revolving around the focus of our lives. Banks have always been known to be early adopters of technology and to some extent innovators, as the number of data breaches increased, it was more than imperative for us to shed light on the threat levels of the 50 most important fintech applications in the United States. 

Testing methodology: 

For research purposes, we scan high-level applications including our test method. 

Static Application Security Test (SAST) - Can be thought of as testing an application from the inside out by examining the application source code or binaries for configuration-based problems that indicate a vulnerability. Appknox's static application security tests cover 40+ test cases in the binary.  

Dynamic Application Security Test (DAST) - A dynamic application security test (DAST) scan is designed to detect conditions that indicate a  vulnerability in an application while it is running. One of the most common and classic methods of piracy used is the man-in-the-middle attack (MITM).

Application Program Interface Testing (APIT): API security testing can be thought of as testing the server-side of an application from the inside out. The fully automated scanners perform a full analysis of web servers, databases, and their implementation for all components on the server that interact with the mobile application while testing for more than 20 test cases.

[Nt: Reporting was done based on the CVSS Score]



Common Security Vulnerabilities in Fintech Applications 



78% of applications were affected by inferred cryptographic keys 

1) Inferred cryptographic keys 

 Using an incorrect or insecure cryptographic algorithm is an unnecessary risk that could reveal confidential information. Broken Crypto can be expressed in two ways: First, the mobile application can use an encryption/decryption mechanism that is fundamentally flawed and can be used by an adversary to decrypt sensitive data. Second, the mobile application may use or implement a poor encryption/decryption technique that can be decrypted instantly by the adversary. 

 Corrupted cryptography has the following consequences: 

  • Data breaches 
  • Information theft 
  • Code theft 
  • Theft of intellectual property 
  • Damage to reputation  

46% of applications were affected by wild-type CorS vulnerabilities in the HTTP headers 

2) CORS wild character vulnerabilities in HTTP -Headers 

 Cross-origin Resource Sharing (CORS) is a mechanism that enables web browsers to make cross-domain requests in a controlled manner using the XMLHttpRequest API. This vulnerability allows a domain that is controlled by a malicious party to send requests to your domain.   The business impact can range from data theft to compromising your entire application ecosystem.


35% of the applications were affected by an incorrect network security configuration. 

3) Incorrect network security configuration 

 An incorrect security configuration occurs when the responsible party does not follow best practices when configuring an asset. When implemented correctly, it can help protect your application by only communicating using secure protocols such as HTTPS. However, if left unprotected, it could allow an attacker to gain access to sensitive information through insecure communications. 


42% of applications were affected by inadequate code obfuscation.  

4) Inadequate code obfuscation 

 Code obfuscation is one of the techniques widely used by security professionals to make code unusable for hackers Obfuscation can lead to a reverse Perform engineering of the code that reveals information about the back-end servers and intellectual property. 


58% of applications were affected by storing information in shared settings. 

5) Storing information in shared settings 

 The developers assume that storing data on the client-side restricts access to other users. the violations were caused by insecure or unnecessary client-side data storage. 

 device file systems are no longer in sandboxes and rooting or jailbreaking often bypass all security measures.

Fintech Application Security Best Practices

It was surprising to see how widespread vulnerabilities are in fintech applications. Given the number of sensitive information, fintech has to deal with, it was equally shocking to see that cybersecurity remains poor in most applications.  

A comprehensive approach to security is becoming a must for these organizations to combat persistent cybersecurity problems. So, these are fintech application security best practices that you should know about. 

1. Compliance with industry standards and regulations:

By making sure your applications comply with industry standards such as OWASP, GDPR, PCI DSS, ISO 27001, you can protect yourself and stay up to date against the latest threats.  

2. Incorporation of DevSecOps:

DevSecOps is a practice that emerged from DevOps and regards information technology security as one of the most fundamental aspects of software development in all phases. Software development process. 

3. Automated Security Testing for Mobile Applications:

With the evolving security threat landscape, organizations must conduct regular vulnerability assessments to protect themselves from new parameters of security threats.

4. Perform a regular manual assessment:

Manual application security tests allow you to test your application at a deeper level that only human intelligence can overlook. The combination of manual and automated assessments can help you achieve the best security coverage for your applications. 

New and Emerging Fintech Trends 

As we've seen, the mobile threat landscape presented several new and significant security issues in 2021. Looking ahead to 2022 and beyond, we urge all organizations to review the following trends in developing their security plan for the coming year: 

1. Introducing Secure Access Service Edge (SASE):

This is an emerging cybersecurity concept that Gartner introduced in 2019 introduced. It will be a tipping point as it enables companies to efficiently manage network security while providing user-based and less privileged access based on granular identifiers such as user role, device, and location, which is part of endpoint security.  

2. New Regulatory Technology (Regtech):

RegTech is a cloud computing technology that helps fintech comply with new rules and regulations. 

3. Introducing AI to detect fraud:

Fintech companies use advanced artificial intelligence and machine learning technologies to detect and prevent financial crime. On the basis of the findings of the research, the fraud recognition, AI systems test the company and customer data to qualify the risks and weaknesses of the customer.

Appknox: Securing Mobile Apps Worldwide

Appknox helps organizations around the world protect mobile applications with its Vulnerability Assessment + Penetration Testing (VA + PT) approach. In 2021, Appknox was named a Preferred Application Vendor in the  Gartner Hype Cycle 2021.  

 As maintaining application security becomes more complex, Appknox is committed to delivering value to its customers by: 

  • Evaluating new security test cases and ensuring that Appknox is always ahead of the security curve. 
  • Appknox was one of the first vulnerability assessment platforms to cover API security testing by adding 40+ API security test cases. 
  • Less than 1 false positive and false negative. 
  • We provide real-time data. 
  • Appknox is home to some of the best security researchers, some of whom discover loopholes in Apple, Yahoo, Microsoft, Snapchat, and many more.


Published on Jan 13, 2022
Swaroop Patil S
Written by Swaroop Patil S
Swaroop handles Organic Marketing at Appknox. He relishes any opportunity to get his creative juices flowing. Marketing, Analytics, Web Designing, Automations are a few trades that you may find himself dabbling in. Swaroop also helps a few organizations with their Marketing efforts.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now