Breaking News
Approov Mobile Threat Lab Finds 92% of Popular Fintech Apps Immediately Expose Valuable, Exploitable Secrets
Approov, the end-to-end mobile security provider, today issued findings showing that 92% of the most popular banking and financial services apps contain easy-to-extract secrets such as API keys, which could be used in scripts and bots to attack APIs and steal data, devastating consumers and the institutions they trust.
The Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany from the Google Play Store, investigating a total of 650 unique apps. Ninety two percent of the apps leaked valuable, exploitable secrets and twenty three percent of the apps leaked extremely sensitive secrets.
As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime. Only 5% of the apps had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time.
“Have we all unknowingly become beta-testers for financial services apps? Is this putting our personal finances at risk? Continuing news about breaches seems to indicate this is the case and it is unacceptable!” said Approov CEO Ted Miracco.
“This research shows hardcoding sensitive data in mobile apps is widespread and a massive problem since secrets can easily be extracted. A simple automated scan can show any threat actor how well protected apps are at runtime. Unfortunately, financial apps fall short,” Miracco added.
Other findings:
- None of the 650 apps “ticked all the boxes” in terms of the three attack surfaces investigated. All failed in at least one category.
- Only four apps had runtime protection against channel MitM attacks and “man-in-the-device.” All were payment and transfer apps and none were in the U.S.
- In general, apps deployed in Europe were better protected than apps available only in the U.S., for immediate secret exposure and runtime protections. This may be due to stricter privacy rules in Europe and more focus on security.
- Crypto apps were more likely to leak sensitive secrets as 36% immediately offered highly sensitive secrets when scanned.
- Only 18% of personal finance apps leaked sensitive information, possibly because they are less dependent on sensitive APIs.
- For Man-in-the-Device attacks, traditional banks are twice as likely to be well protected over other sectors reflecting the use of packers and protectors to protect against run-time manipulation.
The Approov Mobile Threat Lab report is available here
The report explains the approach and provides detailed findings. Using this report, financial services teams can replicate tests performed and check the security of their apps without delay.
People In This Post
Companies In This Post
- Worldline and ABN AMRO Extend Partnership to Support Payment Services in the Dutch Market Read more
- RateGain and Juspay Partner to Power ‘RG Pay,’ a High-Performance Financial Technology Platform for the Global Travel and Hospitality Industry Read more
- Travel Providers to Accept UnionPay Cards for Both Direct e-Commerce Bookings and Indirect Sales via Amadeus Travel Platform Read more
- Creditinfo Brings Global Fraud and Identity Solution to Uganda to Strengthen AML and Financial Crime Defences Read more
- BVI Financial Services Conference Examines Global Financial Crime Risks and Reaffirms BVI’s Commitment to Integrity Read more
Creditinfo Brings Global Fraud and Identity Solution to Uganda to Strengthen AML and Financial Crime Defences
Creditinfo, a global service provider for credit information and risk management solutions, has announced the rollout of its identity, know your customer (KYC) and fraud and ID solution in Uganda. The move supports organisations in the country as they work to strengthen financial crime prevention at a time of rapid digital growth and evolving fraud risk.
BVI Financial Services Conference Examines Global Financial Crime Risks and Reaffirms BVI’s Commitment to Integrity
Government officials, regulators, law enforcement authorities and financial services professionals gathered at the BVI International Arbitration Centre on 5 March for the BVI Financial Services Conference 2026, an event examining the evolving global landscape of financial crime and the responsibilities of international financial centres in safeguarding the integrity of the global financial system.
Glia Launches Industry-First Contractual Guarantee Against AI Hallucinations and Prompt Injections
Glia, the leading platform for intelligent banking interactions, today announced it will offer its more than 700 bank and credit union clients a contractual guarantee against AI hallucinations being presented to customers or members on its Banking AI platform. Glia also now guarantees zero impact from prompt injection attacks on its platform — malicious attempts to trick customer or member care AI into providing information or performing tasks it shouldn’t.
Money20/20 Asia Report: APAC Fintech Ecosystem Shifts from Experimentation to Scale as AI and Digital Assets Drive Leadership
Money20/20, the world’s leading fintech show and the place where money does business, today unveiled its annual Future of Fintech in APAC report ahead of Money20/20 Asia happening in Bangkok on April 21-23 at the Queen Sirikit National Convention Center (QSNCC). The whitepaper is revealing that APAC’s fintech ecosystem has reached a pivotal inflection point. The region is shifting from experimentation to scaled deployment across AI, digital payments, and digital assets, marking a decisive move toward production‑grade innovation.
Red Rocks Credit Union Partners with My First Nest Egg to Help Member Families and Local Students Build Healthy Money Habits Early
As families navigate rising costs and increasingly complex financial decisions, Red Rocks Credit Union is expanding its commitment to financial wellness through a new partnership with My First Nest Egg, a family-first financial education platform designed to help parents and children build healthy money habits together from an early age.
DeepTarget Debuts RetainIQ™: Leveraging AI-Driven Insights and DXP Automation to Turn New Account Openings into High-Yield, Lifelong Growth
DeepTarget Inc., a leader in intelligent revenue automation for financial institutions, today announced the launch of RetainIQ™, a strategic retention layer designed to help financial institutions convert new account openings into deep, primary relationships while delivering a consistent, high-touch experience at scale.
Mambu Selected as Core Banking Provider by Nyla, Africa’s First Islamic Neobank
Mambu announced a strategic collaboration with Nyla, Africa’s first Islamic neobank, to power its shari’ah-compliant digital banking infrastructure
Worldline and ABN AMRO Extend Partnership to Support Payment Services in the Dutch Market
ABN AMRO and Worldline share a distinguished partnership built over decades. In recognition of this strong foundation and proven track record, Worldline will continue to enhance ABN AMRO’s customer payment solutions. This collaboration underscores the value both parties place in their long-term commitment to innovation and operational excellence.
RateGain and Juspay Partner to Power ‘RG Pay,’ a High-Performance Financial Technology Platform for the Global Travel and Hospitality Industry
RateGain Travel Technologies Limited (NSE: RATEGAIN), a global leader of AI-powered SaaS solutions for the travel and hospitality industry, and Juspay, a leading global payments technology company, today announced a strategic partnership to power RG Pay, RateGain’s embedded financial technology platform for the travel and hospitality ecosystem.
Travel Providers to Accept UnionPay Cards for Both Direct e-Commerce Bookings and Indirect Sales via Amadeus Travel Platform
According to ResearchAndMarkets’ recent forecasts, Chinese outbound travel is predicted to grow at a Compound Annual Growth Rate (CAGR) of 13.5%, increasing from $140B today to reach $386B by 2033. UnionPay International helps cardholders to easily make cross-border payments in 183 markets and its payment methods are particularly popular with travelers across Asia Pacific.
Creditinfo Brings Global Fraud and Identity Solution to Uganda to Strengthen AML and Financial Crime Defences
Creditinfo, a global service provider for credit information and risk management solutions, has announced the rollout of its identity, know your customer (KYC) and fraud and ID solution in Uganda. The move supports organisations in the country as they work to strengthen financial crime prevention at a time of rapid digital growth and evolving fraud risk.
BVI Financial Services Conference Examines Global Financial Crime Risks and Reaffirms BVI’s Commitment to Integrity
Government officials, regulators, law enforcement authorities and financial services professionals gathered at the BVI International Arbitration Centre on 5 March for the BVI Financial Services Conference 2026, an event examining the evolving global landscape of financial crime and the responsibilities of international financial centres in safeguarding the integrity of the global financial system.
Glia Launches Industry-First Contractual Guarantee Against AI Hallucinations and Prompt Injections
Glia, the leading platform for intelligent banking interactions, today announced it will offer its more than 700 bank and credit union clients a contractual guarantee against AI hallucinations being presented to customers or members on its Banking AI platform. Glia also now guarantees zero impact from prompt injection attacks on its platform — malicious attempts to trick customer or member care AI into providing information or performing tasks it shouldn’t.
Money20/20 Asia Report: APAC Fintech Ecosystem Shifts from Experimentation to Scale as AI and Digital Assets Drive Leadership
Money20/20, the world’s leading fintech show and the place where money does business, today unveiled its annual Future of Fintech in APAC report ahead of Money20/20 Asia happening in Bangkok on April 21-23 at the Queen Sirikit National Convention Center (QSNCC). The whitepaper is revealing that APAC’s fintech ecosystem has reached a pivotal inflection point. The region is shifting from experimentation to scaled deployment across AI, digital payments, and digital assets, marking a decisive move toward production‑grade innovation.