Wells Fargo Vantage Android App Vulnerabilities
Background
The Wells Fargo Vantage Android app has three security
problems: it runs on a rooted phone, it places
confidential data in the device log, and it lacks
binary protections.
These flaws are in the
OWASP Top 10 Mobile Risks:
- M1: Improper Credential Usage
- M7: Insufficient Binary Protections
- M8: Security Misconfiguration
App Version
This is the app I tested:
Testing Method
I used a rooted Android emulator connected to the
Burp proxy.
The app installed and ran, despite the device being
rooted, which blocked many other banking apps
from running.
Code Modification
I used APK Editor Studio to unpack and analyse the app:
I modified the splash screen message:
The modified app still ran:
Examining the Log
I submitted a login request:
And the credentials appeared in the device log.
Notification
I sent this email on 9-27-2025:
Posted 9-27-2025 by Sam Bowne