The Federal Office for Information Security (BSI) has examined a number of tax return apps for smartphones and tablets with regard to IT security. The study identified some possible vulnerabilities that consumers should pay attention to when choosing their own software. Finally, tax return apps process a particularly large amount of sensitive data such as income information, social security and tax identification numbers as well as other personal identifiers, emphasizes the BSI.
Advertisement
The reason for the study by the BSI, as the central cybersecurity authority and independent body for digital consumer protection in Germany, was that, according to a recent survey, software and apps for tax returns are becoming increasingly popular. In Germany, 57 percent of tax returns are now submitted online. The use of tax return apps has doubled: filing tax returns via smartphone or tablet has increased within a year from four to eight percent in 2023.
That's why the BSI took a closer look at the market for tax return apps and analyzed a total of nine products in more detail. The apps should be connected to the Elster interface so that the tax return can be submitted digitally, run on a smartphone or tablet and enable the submission of an income tax return. Since 70 apps met these criteria, the selection was randomly reduced to three web apps, four Android apps, and two iOS apps.
Vulnerabilities disclosed
However, the BSI does not name any products, but rather focuses on potential vulnerabilities that users should pay attention to when using them. The highest risk level was data transfers to third-party providers, which were found in five apps, as well as the use of outdated software with known vulnerabilities, which was reported in three apps.
The BSI also criticized inadequate password guidelines and cookie configurations as well as possible user enumerations where attackers could find out user names or email addresses, for example through inconsistent or overly informative feedback from apps during the authentication process. Less worrying, but still important, is two-factor authentication (2FA), which some apps do not yet offer.
Demands from the BSI and positive feedback from providers
Finally, the BSI requires tax return app providers to regularly check the encryption procedures and ensure secure and authorized registration of services, for example through 2FA. In addition, the apps should be subjected to periodic security checks and third-party providers such as cloud services should be assessed with regard to their security.
However, the BSI is satisfied with the cooperation with the app providers. They were informed about the study in order to raise their awareness of the need to protect consumer data and gave predominantly positive feedback. However, whether the service providers implement the BSI's requirements with regard to IT security for the apps was no longer part of the study.
(fds)