Ariel Sanchez, a security consultant with IOActive, tested 40 iPhone and iPad banking apps over a period of 40 man-hours. He doesn't name the apps nor the banks concerned, but has contacted some of the banks and reported the vulnerabilities. Although he doesn't describe the vulnerabilities in any detail, if he can find them so easily, then so could attackers – and many of them are relatively easily exploitable. He published his findings in a blog posting yesterday.
Sanchez conducted tests in six separate areas: transport security, compiler protection, UIWebViews, data storage, logs and binary analysis. In each area he found widespread weaknesses. For example, 40% of the apps do not validate the authenticity of SSL certificates, making them, he says, "susceptible to Man in The Middle (MiTM) attacks."
A full 90% of the apps contain non-SSL links, potentially allowing "an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam."
50% "are vulnerable to JavaScript injections via insecure UIWebView implementations... allowing actions such as sending SMS or emails from the victim’s device."
70% have no facility for any "alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks."
"Most of the log files generated by the apps, such as crash reports, exposed sensitive information." Documents leaked by Edward Snowden indicate that the NSA specifically looks for Windows error reports sent over the internet as a potential source for developing new 0-day exploits. Sanchez says the same problem exists with banking apps: "This information could be leaked and help attackers to find and develop 0day exploits with the intention of targeting users of the application."
Some of the apps clearly rely on the device's own security to protect the user's data. "Some of them used an unencrypted Sqlite database and stored sensitive information, such as details of customer’s banking account and transaction history. An attacker could use an exploit to access this data remotely, or if they have physical access to the device, could install jailbreak software in order to steal... the information from the file system of the victim’s device."
But one of his more worrying findings came from disassembling the apps themselves. He used the IDA PRO disassembler tool with the Clutch decryption tool. "A combination of decrypted code and code disassembled with IDA PRO was used to analyze the application," he explains; and what he found was hardcoded development credentials within the code. "By using hardcoded credentials," he says, "an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users."
His research comes at a vital time. Banks are promoting the use of mobile banking as a competitive differentiator, but they clearly need to do more to protect their customers. "Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions," warns Sanchez.