Two Thirds of Personal Banking Apps Found Full of Vulnerabilities

Share

Related Links

Top 5 Stories

News

Two Thirds of Personal Banking Apps Found Full of Vulnerabilities

09 January 2014

A researcher looked at the security of home banking apps, and found shocking results. Forty home banking apps from the top 60 most influential banks in the world were tested and found to have major security weaknesses.

Ariel Sanchez, a security consultant with IOActive, tested 40 iPhone and iPad banking apps over a period of 40 man-hours. He doesn't name the apps nor the banks concerned, but has contacted some of the banks and reported the vulnerabilities. Although he doesn't describe the vulnerabilities in any detail, if he can find them so easily, then so could attackers – and many of them are relatively easily exploitable. He published his findings in a blog posting yesterday.

Sanchez conducted tests in six separate areas: transport security, compiler protection, UIWebViews, data storage, logs and binary analysis. In each area he found widespread weaknesses. For example, 40% of the apps do not validate the authenticity of SSL certificates, making them, he says, "susceptible to Man in The Middle (MiTM) attacks."

A full 90% of the apps contain non-SSL links, potentially allowing "an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam."

50% "are vulnerable to JavaScript injections via insecure UIWebView implementations... allowing actions such as sending SMS or emails from the victim’s device."

70% have no facility for any "alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks."

"Most of the log files generated by the apps, such as crash reports, exposed sensitive information." Documents leaked by Edward Snowden indicate that the NSA specifically looks for Windows error reports sent over the internet as a potential source for developing new 0-day exploits. Sanchez says the same problem exists with banking apps: "This information could be leaked and help attackers to find and develop 0day exploits with the intention of targeting users of the application."

Some of the apps clearly rely on the device's own security to protect the user's data. "Some of them used an unencrypted Sqlite database and stored sensitive information, such as details of customer’s banking account and transaction history. An attacker could use an exploit to access this data remotely, or if they have physical access to the device, could install jailbreak software in order to steal... the information from the file system of the victim’s device."

But one of his more worrying findings came from disassembling the apps themselves. He used the IDA PRO disassembler tool with the Clutch decryption tool. "A combination of decrypted code and code disassembled with IDA PRO was used to analyze the application," he explains; and what he found was hardcoded development credentials within the code. "By using hardcoded credentials," he says, "an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users."

His research comes at a vital time. Banks are promoting the use of mobile banking as a competitive differentiator, but they clearly need to do more to protect their customers. "Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions," warns Sanchez.

This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security

 

Comments

JBLCrypto says:

29 January 2014
Some of the issues addressed can be mitigated by using state of the art code protection technology to detect jail broken devices before allowing the app to launch, to hide secrets (cryptographic keys), protect logs and other data that should never be in the clear within the applications and otherwise hamper application reverse engineering efforts. Cryptanium provides such a suite of state of the art code protection tools.

See our blogpost at https://www.cryptanium.com/blog/mobile_banking_and_mobile_payment_apps_vulnerabilities_exposed responding to Mr. Sanchez's study and visit us January 28-31 at Booth #232 at the Mobile Payment Conference (http://mobilepaymentconference.com/) and February 5-6 at Stand #82 at Appsworld (http://www.apps-world.net/northamerica/).

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×