Banking Apps, Australia 🇦🇺
Malcore, by Internet 2.0, will publish recurring analysis on Australian mobile banking apps. This post represents an overview of the sector's threat exposure.
The Malcore team is releasing detailed individual blog posts, on each of the popular mobile applications. In addition, we’re publishing overviews according to sector and country of origin/use.
This analysis project shows us the relative Malcore risk score for each target mobile application. It is a comparative process where the controls are: the Malcore algorithm; APK (Android Package) usage, as opposed to IOS file types (for example); and, across all target applications, a standardized time of analysis. We hope this project provides users with insight on the relative risk associated with the software they use.
We will republish the graph below as our analysis results come in over time.
NOTE: there is limited publicly available data on active users and downloads per mobile application. For the purposes of the above graph, we estimated placement by using the downloads on google play store. We would be happy to adjust this data if/when applications' owners send us official numbers.
We must note this analysis process is not a conclusive code review. It is a static analysis with automated code review using Malcore. A detailed manual source code review and to manually view app activity during dynamic analysis is considered a conclusive method to assess risk. A manual code review tends to find a lot more information but costs significant time.
Any Malcore research posted via this blog is, for the time being, self-funded which means we are limited by time.
The scores are listed here from lowest to highest.
Macquarie Bank = 11.55 (One of the lowest scores among the Australian banks)
Bank of Queensland = 11.95 (A low score, which could be made lower with fewer SDKs)
ING = 12.85 (A low score, with only three trackers and a low number of access permissions)
Defence Bank Australia = 15.55 (5 SDKs with 12 access permissions)
Beyond Bank Australia = 16.15 (4 SDKs with low number of code severity warnings)
ME Bank = 19.6 (4 SDKs, 7 code severity warnings and 7 dangerous permissions)
Bendigo Bank = 20.05 (3 SDKs with with a low number of code severity warnings, and low amount of dangerous permissions)
Suncorp = 22.75 (6 SDKs one being Huawei Mobile Services Core)
The Commonwealth Bank of Australia = 24.1 (5 SDKs with 12 dangerous permissions permissions)
Westpac = 28.5 (7 SDKs with standard level permissions)
Wise = 28.5 (10 SDKs, no suspicious severity warnings and 8 dangerous permissions)
National Australia Bank = 36.8 (4 SDKs, with weighting of score due to high code severity warnings)
PayPal = 38.65 (8 SDKs, no dangerous permissions, but a high amount of code severity warnings)
ANZ = 46.8 (ANZ has 6 SDKs and a number of dangerous permissions)
Afterpay = 54.25 (13 SDKs)
ZIP = 67.3 (The highest score at present, with 14 SDKs)
To view how these scores are created visit our transparency post where we published a description of our phone application threat scoring algorithm.
Try Malcore for Free!
First 5 scans are free on registration