More specifically, he reported that 70% of the apps had no support for two-factor authentication and 40% of them accepted any SSL certificate for secure HTTP traffic.
This, according to Michael Whitcomb, president and CEO of Loricca, should be no big surprise. "Security for both (desktop and mobile) is relatively poor," he said.
Borenstein agreed, noting that, "most app developers do not focus on security when developing their app. Security requirements are typically only included to appease the App Store or Google Play guidelines."
In addition, "many of these flaws are not surprising due to the fact that the app world is racing to increase adoption — sometimes at the risk of everything else," he said.
But that doesn't mean he thinks online banking is too risky. Borenstein cheerfully admits that he regularly does it. "Of course!" he said. "I take the necessary precautions that are offered to me by my financial institution and when new, secure mechanisms come out. I am an early adopter."
And that, said Gary McGraw, CTO of Cigital, is more significant than flaws in mobile apps. "Those flaws (in the apps) are real," he said, "but the real question is, 'does it matter?' Those looking at the app are only looking at a part of the entire ecosystem, and you have to look at the whole thing. The bank will allow various stuff to happen or not, depending on the condition of the device attaching to it, which takes into account the operating system and whether it's rooted."
McGraw points out that banks are liable for losses to individual depositors (not businesses) due to fraud, "and they're not freaking out over this (Sanchez's findings). If mobile and online banking were really such a disaster, the banks wouldn't be doing it. They're smart about money, you know."
Blake Turrentine, CSO for the online social networking dating site Zoosk, and a penetration tester for Kaiser, was even more dismissive of Sanchez's findings. "I would say that it's a biased, script-kiddie assessment, in which he glosses over or ignores security features already provided by the operating system," he said.
"Furthermore, I seriously doubt if he could write his own jailbreak by himself to get the phone to such a compromised state as a jailbroken phone."
The bank security official who read Sanchez's post also said the flaws, while real, were relatively trivial — referring to them as "table stakes."
"Something like this, while it makes headlines, doesn't tell you what's going on behind the scenes," he said, where most banks' systems can tell if a device has connected before from a specific customer. It also flags large transactions and can usually tell by the velocity of clicks if it is a human user or malware.