Banking Apps, UK 🇬🇧
Malcore, by Internet 2.0, will publish analysis on British mobile banking apps. This post represents an overview of the sector's threat exposure.
The Malcore team is releasing detailed individual blog posts, on each of the popular mobile applications. In addition, we’re publishing overviews according to sector and country of origin/use.
This analysis project shows us the relative Malcore risk score for each target mobile application. It is a comparative process where the controls are: the Malcore algorithm; APK (Android Package) usage, as opposed to IOS file types (for example); and, across all target applications, a standardized time of analysis. We hope this project provides users with insight on the relative risk associated with the software they use.
We will republish the graph below as our analysis results come in over time.
NOTE: there is limited publicly available data on active users and downloads per mobile application. For the purposes of the above graph, we estimated placement by using the downloads on google play store. We would be happy to adjust this data if/when applications' owners send us official numbers.
We must note this analysis process is not a conclusive code review. It is a static analysis with automated code review using Malcore. A detailed manual source code review and to manually view app activity during dynamic analysis is considered a conclusive method to assess risk. A manual code review tends to find a lot more information but costs significant time.
Any Malcore research posted via this blog is, for the time being, self-funded which means we are limited by time.
The scores are listed here from lowest to highest.
Wise = 28.5 (10 SDKs, no suspicious severity warnings and 8 dangerous permissions)
Monzo = 32.75 (8 SDKs and 12 dangerous permissions)
Llodys Bank = 33.05 (6 SDKs, 7 high severity warnings and 11 dangerous permissions)
Halifax = 34.9 (6 SDKs, 7 high severity warnings and 11 dangerous permissions)
Revolut = 45.35 (has only 3 SDKs, but a high number of permissions and warnings)
HSBC = 54.55 (5 SDKs, 8 high severity warnings and 9 dangerous permissions)
To view how these scores are created visit our transparency post where we published a description of our phone application threat scoring algorithm.
Try Malcore for Free!
First 5 scans are free on registration