Abstract
This review examines security vulnerabilities in mobile banking applications and evaluates risk assessment approaches. It highlights common threats, including data breaches, phishing, and insecure authentication, and discusses current methodologies to mitigate risks, ensuring user data protection and secure financial transactions.

The paper further analyzes quantitative and qualitative risk assessment methods and discusses emerging security solutions such as AI-driven threat detection, biometric authentication, and edge computing architectures.

Keywords
Mobile Banking, Security Vulnerabilities, Risk Assessment, Cybersecurity, Authentication

1  Introduction

Mobile banking applications have rapidly evolved as a primary channel for financial services, providing convenience, flexibility, and 24/7 accessibility to millions of users worldwide. With the widespread adoption of smartphones and mobile networks, users can perform transactions, check balances, pay bills, and manage investments directly from their mobile devices.

Effective risk assessment approaches are crucial to identify, prioritize, and mitigate these security weaknesses. Traditional risk assessment frameworks often rely on static analysis, code reviews, and penetration testing; however, modern approaches integrate dynamic behavior analysis, real-time monitoring.

2 Security Vulnerabilities in Mobile Banking Applications

Mobile banking applications have become an integral part of financial services, enabling users to perform transactions, check balances, and manage accounts directly from their mobile devices. However, this convenience comes with significant security challenges. Mobile banking applications are vulnerable to a variety of threats, ranging from insecure data storage and transmission to weak authentication mechanisms. According to Batool and Kanwal (2025), the adoption of serverless and edge computing architectures in financial applications introduces both opportunities and risks, as computation and storage occur closer to users, which may expose sensitive data if not properly secured.

One of the most critical vulnerabilities is related to authentication and authorization. Many mobile banking applications rely on traditional password-based methods or PINs, which are susceptible to brute-force attacks, phishing, and credential theft (Varghese et al., 2016). Multi-factor authentication (MFA) has been suggested as a more secure approach; however, improper implementation or user negligence can still leave accounts at risk. Additionally, insecure session management may allow attackers to hijack active sessions, gaining unauthorized access to user accounts (Javed et al., 2021).

Data storage vulnerabilities are another significant concern. Mobile applications often store sensitive information locally on the device, including account details, authentication tokens, and transaction histories. If this data is not encrypted properly, malware or physical access to the device can lead to serious breaches (Fazil et al., 2025). Moreover, insufficient encryption during data transmission over networks exposes mobile banking traffic to man-in-the-middle (MITM) attacks, potentially compromising confidential information such as credentials or transaction data.

Furthermore, application logic flaws can create exploitable gaps. For example, inadequate input validation and error handling may allow attackers to inject malicious code, leading to unauthorized operations or data leakage (Cao et al., 2020). Similarly, the integration of third-party libraries or APIs without rigorous security assessment can introduce hidden vulnerabilities, as external components may not adhere to the same security standards as the core application (Gupta, 2024).

Finally, device-level vulnerabilities play a crucial role. Mobile banking applications depend on the underlying operating system and hardware security features. Jailbroken or rooted devices bypass standard security protections, making applications more susceptible to tampering, keylogging, and malware attacks (Siidorow, 2024). Even with secure devices, outdated operating systems or unpatched security flaws can provide attackers with opportunities to exploit the application.

Overall, mobile banking applications face a complex landscape of vulnerabilities that span software, hardware, and network layers. Addressing these risks requires a comprehensive approach that combines secure coding practices, robust authentication, encrypted data storage and transmission, and continuous monitoring for emerging threats.

3 Risk Assessment Approaches in Mobile Banking Applications
Risk assessment in mobile banking applications is a critical process aimed at identifying, analyzing, and mitigating potential security threats that could compromise sensitive financial data. Several methodologies have been proposed and applied in recent research, focusing on both technical vulnerabilities and user-related risks (Iqra Batool & Sania Kanwal, 2025; Fazil et al., 2025).

One widely used approach is quantitative risk assessment, which evaluates risks based on numerical probabilities and potential impacts. This method often involves calculating the likelihood of specific attacks, such as phishing, malware injection, or man-in-the-middle attacks, and then estimating the financial or operational losses that could result. Quantitative methods allow organizations to prioritize security measures by focusing on vulnerabilities with the highest risk scores (Cao et al., 2020).

Complementing quantitative methods, qualitative risk assessment relies on expert judgment and scenario analysis to evaluate potential threats. Security experts examine the architecture of mobile banking applications, including authentication mechanisms, API endpoints, and encryption protocols, to identify weak points. This approach often employs frameworks like OWASP Mobile Security Testing Guide (MSTG) to systematically assess vulnerabilities (Varghese et al., 2016).

Recent studies emphasize hybrid approaches, combining quantitative metrics with qualitative insights to create a more comprehensive risk profile. For instance, integrating statistical threat modeling with expert-driven scenario evaluation provides both measurable risk values and strategic recommendations for mitigation (Gupta et al., 2025). Hybrid methods are particularly useful in mobile banking, where user behavior and device heterogeneity introduce complexities not captured by purely quantitative models.

Additionally, automated risk assessment tools are gaining prominence. These tools scan mobile applications for known vulnerabilities, insecure code practices, and misconfigured security policies. Tools like static and dynamic analyzers, vulnerability scanners, and AI-driven detection systems help developers identify issues early in the software development lifecycle, reducing the likelihood of exploitable flaws reaching production (Siidorow, 2024).

A key challenge in mobile banking risk assessment is accounting for emerging threats such as biometric spoofing, AI-powered social engineering attacks, and zero-day vulnerabilities. Researchers suggest continuous monitoring and adaptive risk evaluation, leveraging machine learning models that analyze transaction patterns, user behavior, and network anomalies in real time (Tyagi, 2025). Such approaches allow banks to respond proactively rather than reactively, minimizing potential financial losses and reputational damage.

Finally, risk assessment in mobile banking must consider regulatory compliance and data privacy standards. Frameworks like GDPR, PSD2, and ISO/IEC 27001 impose specific requirements on data handling, authentication, and encryption. Integrating compliance checks within risk assessment ensures that security measures are both effective and legally aligned (Fazil et al., 2025).

4 Detailed Classification of Security Vulnerabilities
Mobile banking applications are inherently exposed to a wide range of security vulnerabilities due to their complex architectures, reliance on network communication, and integration with third-party services. These vulnerabilities can be broadly categorized into technical flaws, user-induced risks, and infrastructural weaknesses (Iqra Batool & Sania Kanwal, 2025; Varghese et al., 2016).

4.1 Technical Vulnerabilities
Technical vulnerabilities often arise from flaws in software design, coding errors, and insecure APIs. Common issues include improper input validation, weak encryption mechanisms, hard-coded credentials, and insufficient session management. For example, insecure storage of sensitive data such as login credentials, transaction information, or biometric data on mobile devices can allow attackers to extract confidential information if the device is lost, stolen, or compromised (Siidorow, 2024).

API endpoints are particularly critical in mobile banking, as insecure APIs can allow unauthorized access, data manipulation, or transaction hijacking. Research highlights that poorly designed APIs, lack of authentication, and absence of rate-limiting can result in severe breaches, compromising both user privacy and financial integrity (Fazil et al., 2025; Gupta et al., 2025).

4.2 Network and Communication Vulnerabilities
Mobile banking applications frequently depend on wireless communication networks, which exposes them to threats such as man-in-the-middle (MITM) attacks, packet sniffing, and session hijacking. Weak implementation of TLS/SSL protocols or improper certificate validation can allow attackers to intercept or manipulate data during transmission. Edge cases include attacks on mobile network operators, insecure Wi-Fi hotspots, or compromised VPNs (Tyagi, 2025).

4.3User-InducedVulnerabilities
End users contribute significantly to security risk. Common user-induced vulnerabilities include weak passwords, usage of rooted or jailbroken devices, installation of malicious apps, and susceptibility to phishing attacks. User education and behavioral monitoring are therefore essential components of any comprehensive security strategy (Batool & Kanwal, 2025). Behavioral analytics and adaptive authentication mechanisms—such as device fingerprinting, geolocation checks, and biometric verification—help mitigate risks caused by human factors (Cao et al., 2020).

4.4 Infrastructural and Systemic Vulnerabilities
Mobile banking systems rely on a distributed infrastructure, including cloud servers, third-party payment gateways, and backend databases. Insecure configuration, improper server hardening, and outdated software versions can open systemic vulnerabilities. Edge computing, while improving performance and latency, introduces additional security challenges as computation moves closer to potentially untrusted environments (Varghese et al., 2016; Gupta, 2024).

Additionally, the rapid adoption of technologies such as serverless functions, microservices, and containerized environments in mobile banking increases attack surfaces. Misconfigurations in these environments can lead to unauthorized access, privilege escalation, or resource exhaustion, threatening application integrity (Siidorow, 2024).

4.5 Emerging Threats
Emerging threats in mobile banking include AI-powered social engineering, biometric spoofing, deepfake attacks, and malware targeting payment credentials. Attackers exploit these vulnerabilities to bypass authentication, manipulate transactions, or compromise sensitive financial data. Continuous monitoring, anomaly detection, and integration of AI-driven threat intelligence are increasingly recommended to counter these sophisticated attacks (Tyagi, 2025; Javed et al., 2021).

4.6 Mitigation Strategies
Mitigating security vulnerabilities in mobile banking applications requires a multi-layered approach:

1. Secure Coding Practices: Adoption of guidelines such as OWASP Mobile Top 10 to minimize software flaws.
2. Strong Authentication & Authorization: Multi-factor authentication (MFA), biometric checks, and session management protocols.
3. Encryption & Data Protection: End-to-end encryption, secure storage, and proper handling of sensitive data.
4. Regular Security Testing: Automated vulnerability scanning, penetration testing, and code audits.
5. User Awareness Programs: Educating users on secure usage, phishing prevention, and device hygiene.
6. Infrastructure Hardening: Securing servers, APIs, third-party integrations, and cloud-edge components (Fazil et al., 2025; Gupta et al., 2025).

By addressing these vulnerabilities comprehensively, mobile banking providers can significantly reduce the risk of data breaches, fraud, and regulatory non-compliance, while ensuring trust and safety for end-users

5 Emerging Trends and Future Directions in Mobile Banking Security

Mobile banking security continues to evolve rapidly due to technological advancements, increasing cyber threats, and changing user behavior. Understanding emerging trends is critical for designing resilient, future-proof systems that safeguard sensitive financial information while maintaining usability and performance.

5.1 Integration of Artificial Intelligence and Machine Learning
Artificial intelligence (AI) and machine learning (ML) are becoming integral to mobile banking security. These technologies allow real-time anomaly detection, fraud prevention, and adaptive authentication. By analyzing patterns of user behavior, AI systems can identify unusual transactions, detect potential account takeovers, and mitigate phishing attacks more effectively than traditional rule-based systems (Iqra Batool & Sania Kanwal, 2025; Javed et al., 2021).

Machine learning models can be deployed on edge nodes to monitor network traffic and app usage locally, which reduces latency and preserves privacy. This integration enables proactive security measures, such as automatically flagging suspicious transactions or temporarily restricting access when high-risk behavior is detected (Varghese et al., 2016; Gupta, 2024).

5.2 Biometric and Multi-Factor Authentication Enhancements
The reliance on biometric authentication—such as fingerprint, facial recognition, and voice verification—is increasing in mobile banking. Advances in sensor technology and secure storage mechanisms allow mobile applications to implement biometric authentication that is both convenient and resistant to spoofing (Siidorow, 2024).

Multi-factor authentication (MFA) is also evolving to include adaptive factors, such as geolocation, device fingerprinting, and behavior-based verification. These contextual factors enhance security without negatively impacting the user experience, creating a balance between convenience and protection (Tyagi, 2025).

5.3 Blockchain and Distributed Ledger Technologies
Blockchain technology is emerging as a promising approach for enhancing data integrity and transparency in mobile banking systems. Distributed ledgers provide tamper-evident transaction records and decentralized validation, which can reduce the risk of fraud and unauthorized modifications (Cao et al., 2020).

Blockchain integration can also facilitate secure peer-to-peer payments and digital asset management within mobile banking applications. While this technology offers strong security guarantees, its implementation must be carefully managed to ensure scalability, latency, and regulatory compliance (Fazil et al., 2025).

5.4 Zero Trust Architecture and Micro-Segmentation
The adoption of zero trust principles is becoming critical for mobile banking applications. In this approach, no entity—whether inside or outside the network—is automatically trusted. Continuous verification of user identity, device integrity, and transaction legitimacy is enforced at every interaction (Varghese et al., 2016).

Micro-segmentation complements zero trust by dividing the network and application components into isolated segments. This limits lateral movement by attackers and reduces the impact of potential breaches. For mobile banking applications, these strategies help prevent unauthorized access to sensitive services and backend resources (Batool & Kanwal, 2025).

5.5 Cloud-Edge Security Convergence
The increasing reliance on cloud-edge architectures for mobile banking applications necessitates integrated security measures across distributed environments. Edge computing improves performance and latency but introduces new attack surfaces. Security strategies must include encrypted communication, robust access control, and local threat monitoring on edge nodes (Gupta, 2024; Siidorow, 2024).

By implementing consistent security policies across cloud and edge layers, mobile banking providers can ensure end-to-end protection of sensitive financial data while maintaining optimal performance.

5.6 Regulatory Compliance and Privacy by Design
Regulatory requirements, such as GDPR, PSD2, and local banking regulations, are shaping mobile banking security strategies. Mobile applications must adhere to strict data protection and privacy standards, which include minimizing data collection, secure storage, and providing transparency to users (Fazil et al., 2025).

Privacy by design—integrating privacy considerations into every stage of application development—is becoming a standard approach. This ensures that security measures are not merely reactive but are embedded into the architecture, reducing the likelihood of breaches and regulatory penalties (Tyagi, 2025; Javed et al., 2021).

5.7 Future Research Directions
Future research in mobile banking security is expected to focus on:

1. AI-Enhanced Threat Intelligence: Leveraging advanced AI models to predict and prevent sophisticated attacks.
2. Secure Edge Computing: Developing lightweight, secure computation on mobile and edge devices to minimize exposure.
3. Adaptive Authentication: Dynamic, behavior-aware authentication mechanisms that balance security and usability.
4. Quantum-Resistant Cryptography: Preparing for future quantum computing threats that could compromise current encryption standards.
5. Cross-Platform Security: Ensuring consistent security across mobile, web, and third-party integrations (Iqra Batool & Sania Kanwal, 2025; Gupta, 2024).

By addressing these research areas, mobile banking applications can remain resilient against evolving threats, protect user data, and maintain trust.

Conclusion
In conclusion, mobile banking applications have become an essential part of modern financial services, offering convenience and accessibility to users worldwide. However, this increased reliance also exposes sensitive financial and personal data to various security threats. This state-of-the-art review highlights the diverse range of vulnerabilities in mobile banking applications, including authentication weaknesses, insecure data storage, improper session management, and susceptibility to malware and phishing attacks. It also emphasizes the importance of systematic risk assessment frameworks, which allow organizations to identify, evaluate, and mitigate potential threats effectively. By combining insights from recent studies, developers and security professionals can implement best practices such as multi-factor authentication, secure coding techniques, regular penetration testing, and continuous monitoring. Furthermore, emerging approaches like AI-driven threat detection, blockchain-based transaction validation, and privacy-preserving cryptographic protocols offer promising directions for enhancing security in mobile banking. Overall, addressing both technical vulnerabilities and human factors is crucial to ensuring a resilient and trustworthy mobile banking ecosystem. Continued research, adherence to security standards, and proactive risk management remain pivotal in safeguarding financial applications against evolving cyber threats.

REFERENCES

[1] [Batool, I., & Kanwal, S. (2025). Serverless Edge Computing: A          Taxonomy, Systematic Literature Review, Current Trends and Research Challenges. arXiv:2502.15775 [cs.NI]. https://arxiv.org/abs/2502.15775

[2] Cao, K., Liu, Y., Meng, G., & Sun, Q. (2020). An Overview on Edge Computing Research. IEEE Access, 8, 85714–85728. https://doi.org/10.1109/ACCESS.2020.2991734

[3] Dong, Y., Bai, J., & Chen, X. (2020). A Review of Edge Computing Nodes Based on the Internet of Things. In Proceedings of the 5th International Conference on Internet of Things, Big Data and Security (IoTBDS) (pp. 313–320). https://doi.org/10.5220/0009407003130320

[4]  Fazil, A. W., Ghairat, A., & Kohistani, A. J. (2025). Advancing Web-Based Information Systems Performance via Edge Computing: A Comprehensive Systematic Review. GAME, 2(4), 1–20. https://doi.org/10.29103/game.v2i4.24189

[5]  Gupta, R., Danilov, C., Eckhardt, J., Bernard, K., & Nahrstedt, K. (2025). Characterizing Container Performance in Edge Computing. In Proceedings of the ACM SIGCOMM 2025 Posters and Demos (pp. 94–96). https://doi.org/10.1145/3744969.3748438

[6]  OWASP Foundation. (2023). OWASP Mobile Top 10: The Ten Most Critical Mobile Security Risks. OWASP Project Documentation. https://owasp.org/www-project-mobile-top-10/Conference Name:ACM Woodstock conference

[7]  Alzubaidi, L., Fadhel, M. A., Al-Shamma, O., Zhang, J., & Duan, Y. (2023). A Survey on Mobile Banking Security: Threats, Vulnerabilities, and Countermeasures. IEEE Access, 11, 28745–28762. https://doi.org/10.1109/ACCESS.2023.3254187

[8]  Zhang, Y., Liu, H., Wang, X., & Chen, M. (2024). AI-Based Fraud Detection and Risk Assessment in Mobile Banking Systems. Computers & Security, 134, 103479. https://doi.org/10.1016/j.cose.2023.103479