Jscrambler, a technology company specialising in cybersecurity products for web and mobile applications, today announced a new report: ‘The State of Application Security in UK Banking’. Analysing a sample of banks and fintechs from the UK, Jscrambler’s dedicated research team have focussed on the security of the source code of each bank or fintech’s applications and analysed their exposure to third-party risk and software supply chain attacks.

Attacks such as phishing, ransomware, malware and banking trojans have been gaining momentum globally, resulting in the theft of user data and disruption of operations. In parallel, Fintechs have been enjoying very rapid growth. With competition between players in the banking industry quickly mounting, development teams had to cut time to market, which inherently increases the chance of security weaknesses being introduced into the web and mobile apps they develop. Ultimately, consumers are left at risk, and companies face regulatory, financial and reputational risks.

Specifically, for each of these apps and websites, tests were performed with two different methodologies: an analysis of the existence of JavaScript source code protection techniques and an analysis of all scripts present on the website that come from third parties, as well as the behaviour of these scripts.

The key findings include:

• 55% of apps do not obfuscate the JavaScript code - leaving it exposed on the client-side and opening the door to attacks.

• 40% of those that do use obfuscation are using very weak protection, with little resilience - attackers can easily reverse this by means of a de-obfuscator.

• 18% use anti-debugging protection at runtime - the vast majority of UK banking websites are not impeding threat actors from experimenting with the source code at runtime.

• 23 external domains (on average) receive data from banking apps - often, security teams are not aware that their applications are sending data to so many external domains. 

"When you have a system with hundreds of critical moving parts that are sourced and maintained by dozens of vendors, third-party risk cannot be ignored,” said Pedro Fortuna, Jscrambler co-founder and CTO. “Protecting JavaScript code against attacks is essential, especially when you consider the risk posed to consumers and their data, as well as the financial and reputational damage caused to banks and fintechs.”

The results presented in this report are based on an analysis conducted by Jscrambler's security team between March and May of 2022. The sample of this analysis represents 11 banks and Fintechs from the United Kingdom. The analysis refers to a series of tests carried out on the websites and mobile apps of these institutions, used by their own customers. 

To view the report, click here.