"Financial Apps Tested from Google Play Store Leaked Sensitive API Data under Testing Conditions"
Over 90 percent of the 650 financial apps hosted on the Google Play App Store contain data that can be extracted, such as Application Programming Interface (API) keys. Approov's Mobile Threat Lab reverse-engineered the code of financial service apps and was able to extract "high-value secrets." The sensitive API data was obtained under optimum testing conditions, with researchers using various open-source forensic and penetration testing tools. The data was gathered through a static analysis of the apps and while the code was executed on mobile devices. Of the leaky apps, nearly a quarter exposed highly sensitive data, such as authentication keys used for payments and monetary account transfers. Even if keys and secrets cannot be easily reverse-engineered from a mobile app's source code, hackers can still obtain secrets at runtime by manipulating the app, the environment, or the communication channel(s), according to the researchers. Approov's research centered on the "top 200" financial service apps from the Google Play App Store in the UK, US, France, and Germany, totaling 650 different apps. This article continues to discuss findings from the reverse-engineering of financial service apps' mobile app code.