Audit research on mobile banking applications has found that some do not validate the authenticity of the SSL certificates presented, while others contain non-SSL links throughout the application.
The research by IOActive security consultant Ariel Sanchez of 40 mobile banking apps found that:
- 12.5% of the audited apps did not validate the authenticity of the SSL certificates presented, which makes them susceptible to Man-in-The-Middle (MiTM) attacks;
- 35% of the apps contained non-SSL links throughout the application. This allows an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompts or similar scams;
- 30% of the apps did not validate incoming data and were vulnerable to JavaScript injections via insecure UIWebView implementations allowing client-side attacks;
- 42.5% of the apps provided alternative authentication solutions to mitigate the risk of leaking user credentials and impersonal attacks;
- Related to client-side information exposed via system or custom logs, 40% of the apps still leak information about user activity or client-server interactions, such as requests or responses from the server.
The research followed an investigation conducted by Sanchez in January 2014, where he did find that security had increased over the two years, with 15% of the apps having jailbreak protection to detect and advise end users about the risk of jailbroken devices.
However 15% of the apps store unencrypted and sensitive information in the file system via sqlite databases or other plaintext files. Sanchez said that in the two years between his research, most of the apps had increased transport security of the data by properly validating SSL certificates or removing plain-text traffic, but there are still a high number of apps storing insecure data in their file system and many are still susceptible to client-side attacks.
He also found that few apps provided alternative authentication solutions, with most just offering username and password for authentication. In 2014, Sanchez found that 20% of the apps sent activation codes for accounts though plain-text communication (HTTP).
“While overall security has increased over the two-year period, it is not enough, and many apps remain vulnerable,” he said.