What Testing 150 Banking Apps Taught Us About Mobile App Security

"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.", Warren Buffett

We live in an era where digital convenience defines consumer loyalty in almost all sectors. With respect to financial services, it means that mobile banking is no longer a competitive differentiator: it’s an expectation. Financial institutions with a legacy of trust and deep-rooted brand loyalty are racing to match customer demand with robust mobile platforms. The digital experience benefits are clear: increased reach, reduced operational costs, and hyper-personalized experiences.

But what’s the security cost of this transformation?

To answer that, we analyzed 150 of the most downloaded Android mobile banking apps from five global regions, Europe (EU), Middle East & Africa (MEA), Latin America (LATAM), Asia-Pacific (APAC), and North America (NA), using Guardsquare’s free mobile app security testing product, AppSweep. The goal? Understand where mobile banking app security stands today, and how we can help improve financial services app publishers do better.

How we tested the top mobile banking apps

We focused on the top-ranking Android banking apps on the Google Play Store in terms of number of downloads, scanning publicly available data only.

AppSweep automates analysis of the binary code for both iOS and for Android apps, providing deep security insights. Identified vulnerabilities are presented by severity level and categorized based on the OWASP Mobile Application Security Verification Standard (MASVS) categories. To streamline our workflow, we used AppSweep’s Command Line Interface (CLI) to feed data into our analysis pipeline, enabling systematic scans across all apps and aggregating findings for macro-level security insights.

In this blog, we focus on vulnerabilities classified by AppSweep as high risk. High-severity issues should be reviewed and addressed before an app’s release as they can seriously compromise user data (e.g., data extraction) or app integrity (e.g., unauthorized use of app components).

We also address common, recurring vulnerabilities that are easy to fix but often overlooked.

Here is what we found:

Key findings regarding vulnerabilities in mobile banking apps

High severity vulnerabilities are alarmingly common

As a mobile banking user, you expect a frictionless and secure experience while interacting with the app while from an attacker’s perspective, discovering even a single high-risk vulnerability is a major win, potentially leading to data theft, fraud, or unauthorized access. Concerningly, our research found that top mobile banking apps each contain, on average, more than seven high-risk vulnerabilities.

No region is immune:

• MEA and LATAM apps lead with over seven high-severity issues per app.
• EMEA and APAC follow closely, averaging six each.
• North American apps perform slightly better, but still average four high-risk flaws per app.

These aren’t just theoretical risks - each vulnerability represents a real-world opportunity for attackers to reverse engineer apps, tamper with data, or intercept sensitive communications.

Resilience is the weakest link

The OWASP Mobile Application Verification Standard (MASVS) is the industry benchmark for mobile app security.. It provides a framework for developers to build secure mobile apps and for security teams to conduct thorough mobile app security testing.

Our analysis reveals a troubling trend: the majority of vulnerabilities fall under the MASVS-RESILIENCE category, indicating insufficient protection against reverse engineering, and runtime manipulation, an especially critical concern for financial services apps.

When analyzing regional security issues, we identified distinct patterns:

• EU North America – MASVS-NETWORK:

  This category covers secure network communication. Mobile apps failing here often transmit data using insecure protocols or improper certificate handling, exposing them to man-in-the-middle (MitM) attacks.

• LATAM – MASVS-CRYPTO

  This category focuses on the correct use of cryptography to protect sensitive data. Apps in this region often use outdated algorithms or manage wrongly cryptographic keys, making them vulnerable to data leaks.

• MEA – MASVS-PLATFORM:

  This category assesses how apps interact with the underlying operating system. Failures include overly broad permissions, insecure storage practices, or reliance on deprecated system APIs.

Despite regional differences, poor resilience remains the most critical mobile app security issue globally. Weaknesses in this category make mobile apps soft targets for attackers, who can use widely available tools to reverse engineer the app, tamper with its functionality, intercept backend communications, or even assess whether the app is susceptible to mobile malware attacks aimed at stealing personal data or redirecting financial transactions to fraudulent accounts.

Some common vulnerabilities are easy to fix

Surprisingly, some medium-severity security flaws we found in mobile banking apps are easy to fix, yet they persist across the industry. Our analysis frequently uncovered the following issues:

• Kotlin assertion errors exposing sensitive app behavior

  Assertion calls can leak parameter names and internal logic, making it easier for reverse engineers to understand the app’s behavior, even through obfuscation.

• Debug logs left in production builds

  Logging calls in release builds can expose valuable information, helping attackers reverse-engineer app functionality or locate sensitive components. Logs also unnecessarily bloat the app size.

• Hardcoded HTTP/HTTPS URLs

  Embedded URLs can reveal backend endpoints and system architecture, giving attackers clues that could aid in crafting unauthorized scripts or third-party apps.

  Insecure TLS settings (e.g., disabled hostname verification)

  Misconfigured TLS can leave apps vulnerable to man-in-the-middle (MitM) attacks. If session tokens or API keys are intercepted, attackers may fully impersonate users without detection.

• Exposure to tapjacking attacks

  Without proper protection, malicious apps can overlay transparent or opaque windows on top of your app to hijack user input. This can lead to the theft of PINs or trigger unauthorized actions, which can be especially dangerous on security-sensitive screens like login or settings.

Quick wins for developers

The good news? Many of these vulnerabilities can be easily mitigated with simple best practices:

• Remove all Kotlin assertion calls from production builds
• Strip debug logs and logging artifacts before release
• Obfuscate or encrypt sensitive hardcoded elements, such as URLs
• Enforce secure TLS configurations, including hostname verification
• Implement tapjacking protection on sensitive screens (e.g.,FLAG_SECURE, overlay detection)

A future-proof mobile app protection strategy

While quick fixes can improve security in the short-term, securing a mobile banking app requires more than just patching individual vulnerabilities. To provide strong, lasting mobile app protection, organizations must adopt a multi-layered security strategy that defends against both known risks and emerging threats.

A robust approach should include:

• Code hardening and obfuscation to make reverse engineering significantly more difficult for threat actors.
• Runtime Application Self-Protection (RASP) to detect and block tampering attempts while the app is running.
• A secure software development lifecycle (SDLC) that integrates security at every stage. Key to this is adopting mobile app security testing (MAST) tools.
• Prioritize automated MAST tools to maintain development speed without compromising security, ensuring each release is both fast and secure.
• Real time threat monitoring to continuously observe the app in the field. As the threat landscape constantly evolves, field insights are essential for helping developers strengthen the app's security posture over time.

Final thoughts

Just as Warren Buffett warned, reputation is fragile, and in mobile banking, even a single high-risk vulnerability could mean the difference between customer trust and a PR crisis. Bad press, regulatory fines, and customer churn are very real consequences of neglected mobile app security.

Want to learn more? Connect with a Guardsquare expert.