Report: 55% Of UK Banking Apps Are Leaving Customers Exposed

-’The State of Application Security in UK Banking’ report by Jscrambler analysed UK banks and fintech’s exposure to third party risk and supply chain attacks-

PORTO, Portugal, 23 JUNE, 2022Jscrambler, a technology company specialising in cybersecurity products for web and mobile applications, today announced a new report: ‘The State of Application Security in UK Banking’. Analysing a sample of banks and fintechs from the UK, Jscrambler’s dedicated research team have focussed on the security of the source code of each bank or fintech’s applications and analysed their exposure to third party risk and software supply chain attacks.

Attacks such as phishing, ransomware, malware and banking trojans have been gaining momentum globally, resulting in the theft of user data and disruption of operations. In parallel, Fintechs have been enjoying very rapid growth. With competition between players in the banking industry quickly mounting, development teams had to cut time to market, which inherently increases the chance of security weaknesses being introduced into the web and mobile apps they develop. Ultimately, consumers are left at risk, and companies face regulatory, financial and reputational risks.

Specifically, for each of these apps and websites, tests were performed with two different methodologies: an analysis of the existence of JavaScript source code protection techniques and an analysis of all scripts present on the website that come from third parties, as well as the behaviour of these scripts.

The key findings include:

  • 55% of apps do not obfuscate the JavaScript code – leaving it exposed on the client-side and opening the door to attacks.
  • 40% of those that do use obfuscation are using very weak protection, with little resilience – attackers can easily reverse this by means of a de-obfuscator.
  • 18% use anti-debugging protection at runtime – the vast majority of UK banking websites are not impeding threat actors from experimenting with the source code at runtime.
  • 23 external domains (on average) receive data from banking apps – often, security teams are not aware that their applications are sending data to so many external domains. 

“When you have a system with hundreds of critical moving parts that are sourced and maintained by dozens of vendors, third party risk cannot be ignored,” said Pedro Fortuna, Jscrambler co-founder and CTO. “Protecting JavaScript code against attacks is essential, especially when you consider the risk posed to consumers and their data, as well as the financial and reputational damage caused to banks and fintechs.”

The results presented in this report are based on an analysis conducted by Jscrambler’s security team between March and May of 2022. The sample of this analysis represents 11 banks and Fintechs from the United Kingdom. The analysis refers to a series of tests carried out on the websites and mobile apps of these institutions, used by their own customers. 

To view the report, click here.

For more information about Jscrambler, visit 

About Jscrambler

Jscrambler is the leader in client-side web security. With Jscrambler, JavaScript applications become self-defensive and resilient to tampering and reverse-engineering, while also capable of detecting and blocking client-side attacks like Magecart and data exfiltration. The company is trusted by the Fortune 500 and major companies in sectors such as finance, e-commerce, broadcasting, software development, and gaming. Jscrambler is recognized by Gartner in the Market Guide for In-App Protection, Market Guide for Online Fraud Detection, and Hype Cycle for Application Security, and has been recognized by Deloitte as one of EMEA’s fastest-growing tech companies.


Leave a Reply

Your email address will not be published.



Kuma is the world’s first and only assessor to offer identity certifications for both the US and Canada

Israel’s 12th Annual Cyber Week Highlights Unprecedented Changes in the Cyber Landscape and the Critical Need For Coordinated Response