The Silent Alarm on Mobile Banking Apps Just Went Off

By Dario Dallefrate

Consumers’ enthusiastic embrace of mobile banking is ratcheting pressures on financial institutions to update apps and add features at a breakneck pace. To keep up, many institutions and their dev teams are relying on pre-built software components and AI-driven coding. These practices come with great risk, by broadening the mobile application attack surface for malicious actors to explore and exploit – sacrificing security to speed.

In the lead up to this year’s RSA Conference in San Francisco, banking giant JPMorgan Chase issued a warning. Chief Information Security Officer Patrick Opet penned an open letter to the software industry warning about the risks of prioritizing delivery of new software-as-a-service features and capturing market share over security. It was a warning not just for the banking industry but for the global economic system at large.

Critically, the explosive growth of new value-bearing services in data management, automation, artificial intelligence, and AI agents amplifies and rapidly distributes these risks, bringing them directly to the forefront of every organization.

Mobile application developers who build banking apps, SoftPOS, and digital wallets should pay close attention. They need to stop separating time-to-market and application performance from security.

The reason is simple: Users trust developer organizations to do the right thing by them. A recent UK study found that perceived security and institutional trust are the dominant forces behind users adopting mobile banking applications, far outweighing traditional predictors like performance or peer influence.

New research also shows that the banking industry is crossing the tipping point in mobile app user acceptance: 75% of people prefer mobile banking applications over online account access, with experts projecting a 79% adoption rate across the US by 2029. Ninety-one percent of consumers also stated that a mobile app is one of their top criteria when choosing a bank.

The Law of Greater Demand and Supply Chain Risk

Rising user adoption is putting pressure on mobile app developers to release new products and develop innovative features that offer banks a competitive advantage. But prioritizing speed within the continuous integration/continuous delivery (CI/CD) pipelines for mobile apps introduces very real hazards, especially for financial institutions and their customers.

Today’s mobile app dev teams also increasingly depend on pre-built components (e.g., tools, libraries, interface frameworks) to keep up with demand. While these and other third-party integrations accelerate delivery timelines and reduce costs, they multiply the number of dependencies within an application. This expanded third-party supply chain broadens the mobile application attack surface for malicious actors to explore and potentially exploit.

The most famous example of a third-party software supply chain attack to date has been Solar Winds, where nation-state attackers inserted malicious code into an automated update and thereby gained access to the networks, systems, and data of thousands of downstream customers, including the US government.

It’s not getting any better. According to the latest report from the Identity Theft Resource Center (ITRC), over 200 million individuals were affected by supply chain attacks in 2024 (a massive increase from only about 10 million victims in 2022). ITRC research also highlights that Financial Services (led by commercial banks and insurance) was the most breached industry last year.

AI-powered DevSecOps Introduces New Problems

Without effective human oversight, mobile application dependencies become opaque. Generative artificial intelligence (GenAI) tools are increasingly used to automate and accelerate mobile app development cycles. While "agentic AI" may be the latest buzzword for business value, some typical mistakes that AI makes in DevOps coding include:

Generating hardcoded secrets in code

Misconfiguring Infrastructure-as-Code (IaC) with open permissions

Overlooking secure CI/CD pipeline configurations

Researchers tracked and examined 439 AI-related common vulnerabilities and exposures (CVEs) in 2024, identifying a staggering 1025% year-over-year increase. Nearly all (99%) of these were API-related, including misconfigurations, injection flaws, and new memory corruption vulnerabilities.

Use of large language models (LLMs) in mobile application development may also be unintentionally delivering malicious open-source code. A recently published university study notes that the high use of popular programming languages (e.g., Python, JavaScript, etc.) in centralized package repositories and open-source software, combined with the emergence of code-generating LLMs, creates a new type of threat to the software supply chain: package hallucinations. The researchers note, "These hallucinations, which arise from fact-conflicting errors when generating code using LLMs, represent a novel form of package confusion attack that poses a critical threat to the integrity of the software supply chain."

AI-based tools used for automated mobile application security testing introduce a different set of challenges. Software vulnerability submissions generated by AI models have been observed to generate low-quality "slop" security reports for open source code. These cost organizations precious time and money to investigate while diverting limited human analyst resources from other potentially critical remediation efforts.

Offering a Best-In-Class Mobile Banking App Is Easier Than You Think

Closing the Digital Divide: Credit Unions Should Prioritize Tech Over Transactions

How Three Banks Are Fighting Back Against App Consolidation

As Mobile Threats Multiply, Other Risks Add Up

On top of the potential code-based weaknesses that occur when DevOps teams prioritize speed over security, mobile banking applications remain a highly profitable focal point for malicious actors. Fraud against banks and their customers is on the rise, according to a February 2025 report from PYMNTS Intelligence, with 87% of institutions claiming increases in stolen or falsified credentials over the past year.

Android threats targeting banking apps and cryptocurrency wallets grew by 20% in the second half of 2024. More specifically, the number of Trojan banker malware attacks on Android smartphones (designed to steal user credentials for online banking, e-payment services, and credit card systems) surged by 196% in 2024.

Besides upfront financial losses, there are also compounding risks of a successful mobile app attack. These include service downtime, reputational impact on the institution’s brand, litigation costs, and potential penalties for violating increasingly strict industry regulations. Examples include:

The European Union’s Payment Services Directive 3 (PSD3) regulations cover e-payment services, customer experience, and retention. Organizations that fail to meet PSD3 data protection requirements can face fines as well as potential license removal.

In the US, the Gramm-Leach-Bliley Act (GLBA) requires protections of customer data and systems that extends to mobile banking applications. Non-compliance includes fines up to $100K per violation.

The Reserve Bank of India (RBI) maintains comprehensive cybersecurity requirements for digital payment applications (including banks). Failure to comply with their customer protection guidelines can result in monetary penalties.

The Monetary Authority of Singapore (MAS) maintains specific regulations addressing technology risk management for banks, including mobile-specific security requirements. MAS can take a range of enforcement actions, including reprimands, composition penalties, prohibition orders, civil penalties, and even referring a case for criminal prosecution.

Speed without Security is a False Economy

Chasing market share at the expense of protecting banking customers and the broader economy from the impacts of mobile application attacks has reached a breaking point. In his summary, JPMorgan Chase’s Patrick Oppet offered this call to action:

Providers must urgently reprioritize security, placing it equal to or above launching new products. ‘Secure and resilient by design’ must go beyond slogans — it requires continuous, demonstrable evidence that controls are working effectively, not simply relying on annual compliance checks.

As a first step, mobile app developers should consciously rebalance their strategic priorities. Time-to-market, user experience, and mobile app security all deserve equal consideration within the CI/CD pipeline. All objectives can be served with the right tools and collaborative processes in place.

Developers then need to build security into all stages of the software development lifecycle (SDLC) through effective solutions for testing, protection, and monitoring. Some best practices for a multi-layered approach to mobile banking app security include:

Identify and rigorously protect sensitive code segments within the application.

Implement robust code obfuscation techniques to make reverse engineering significantly more difficult for attackers.

Strengthen data protection measures, both for data at rest and data in transit, using strong encryption and secure storage practices.

Enforce Runtime Application Self-Protection (RASP) to enable apps to detect and respond to attacks in real-time.

Enhance malware detection and mitigation capabilities, staying ahead of evolving threats.

Implement strong device and transaction binding to ensure that transactions can only be initiated from trusted devices and by authenticated users.

Utilize attestation services and continuous monitoring to verify app integrity and detect anomalies or suspicious activities promptly.

Conduct regular, comprehensive mobile banking application security testing, including penetration testing and vulnerability assessments, by qualified professionals.

By embracing these actionable steps and fostering a culture where security is paramount, the financial industry can better protect its customers, maintain trust, and ensure the resilience of the digital banking ecosystem.