Menu
Security analysis of mobile banking apps reveals significant weaknesses

Security analysis of mobile banking apps reveals significant weaknesses

Many apps failed to validate SSL certificates and exposed sensitive information, a researcher from IOActive said

A security analysis of mobile banking apps for iOS devices from 60 financial institutions around the world has revealed that many were vulnerable to various attacks and exposed sensitive information.

Ariel Sanchez, a consultant at security firm IOActive, analyzed how the banking apps communicate with servers, how they store data locally, whether they were compiled with security options, what information they expose through logs and whether they have vulnerabilities in their code.

The researcher found that all tested applications could be installed and run on jailbroken devices. This is a security risk in itself, because jailbreaking circumvents iOS protections and allows apps running on the device to access the restricted resources of other apps that would normally be inaccessible on non-jailbroken devices.

While banking apps generally use SSL encryption for sensitive communications, Sanchez found that 90 percent of the tested apps also initiated several non-encrypted connections during their operation. This allows attackers who can intercept that traffic -- for example on an insecure wireless network -- to inject arbitrary JavaScript or HTML code into it, for example to display fake login prompts to the app's user or to launch other social engineering attacks.

In addition, even when using encryption, 40 percent of the tested apps did not validate the authenticity of digital certificates they received from the server, making them vulnerable to man-in-the-middle attacks using fake certificates.

Fifty percent of the tested apps implemented UIWebView, an iOS feature for displaying Web content in applications, in an insecure way, making them vulnerable to JavaScript injections (cross-site scripting), Sanchez said in a blog post. In some cases, native iOS functionality was exposed to the UIWebView, allowing actions such as sending SMS or emails from the victim's device, he said.

Sanchez presented an example where a rogue HTML form was injected into a vulnerable UIWebView implementation from one of the apps. That form was designed to trick the user into entering their username and password and then send them back to the attacker.

"Another concern brought to my attention while doing the research was that 70% of the apps did not have any alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks," Sanchez said.

Many apps exposed sensitive information such as usernames and passwords and hidden URL paths that could expose the back-end server structure through the iOS system log. Other apps exposed information through their crash reports, which could help attackers find and develop exploits for them, and some apps had credentials hard-coded directly into their code.

"After taking a close look at the file system of each app, some of them used an unencrypted SQLite database and stored sensitive information, such as details of customer's banking account and transaction history," Sanchez said. "An attacker could use an exploit to access this data remotely, or if they have physical access to the device, could install jailbreak software in order to steal to the information from the file system of the victim's device."

Twenty percent of the tested apps hadn't been compiled with Position Independent Executable (PIE) and Stack Smashing Protection enabled, features that are designed to mitigate the risk of memory corruption attacks.

Sanchez didn't name any of the banks whose applications were found to be vulnerable, but he said some of them had been notified of the findings. A map shared by Sanchez suggests the tested apps have a global distribution, belonging to banks that operate in North America, South America, Europe, Africa, the Middle East, Asia and Australia.

"Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms," Sanchez said. "As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions."

Based on his findings, Sanchez made some recommendations for developers of mobile banking apps, such as ensuring all connections are made using secure transfer protocols; enforcing SSL certificate validation; encrypting sensitive data stored by the applications by using the iOS data protection API; improving jailbreaking detection; obfuscating the assembly code and using antidebugging techniques to slow reverse-engineering attempts; removing debugging statements and information and removing all development information from the final products.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securitymobile securityAccess control and authenticationencryptionExploits / vulnerabilitiesdata protectionprivacyIOActive

Featured

Slideshows

Reseller News launches inaugural Hall of Fame lunch

Reseller News launches inaugural Hall of Fame lunch

Reseller News welcomed 2015 and 2016 inductees - Darryl Swann, Dave Rosenberg, Gary Bigwood, Keith Watson, Mike Hill and Scott Green - to the inaugural Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed how the channel can collectively work together to benefit New Zealand, the Kiwi skills shortage and the future of the industry. Photos by Maria Stefina.

Reseller News launches inaugural Hall of Fame lunch
Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Show Comments