Security analysis of mobile banking apps reveals significant weaknesses

Many apps failed to validate SSL certificates and exposed sensitive information, a researcher from IOActive said

By Lucian Constantin, IDG News Service |  Security

A security analysis of mobile banking apps for iOS devices from 60 financial institutions around the world has revealed that many were vulnerable to various attacks and exposed sensitive information.

Ariel Sanchez, a consultant at security firm IOActive, analyzed how the banking apps communicate with servers, how they store data locally, whether they were compiled with security options, what information they expose through logs and whether they have vulnerabilities in their code.

The researcher found that all tested applications could be installed and run on jailbroken devices. This is a security risk in itself, because jailbreaking circumvents iOS protections and allows apps running on the device to access the restricted resources of other apps that would normally be inaccessible on non-jailbroken devices.

While banking apps generally use SSL encryption for sensitive communications, Sanchez found that 90 percent of the tested apps also initiated several non-encrypted connections during their operation. This allows attackers who can intercept that traffic -- for example on an insecure wireless network -- to inject arbitrary JavaScript or HTML code into it, for example to display fake login prompts to the app's user or to launch other social engineering attacks.

In addition, even when using encryption, 40 percent of the tested apps did not validate the authenticity of digital certificates they received from the server, making them vulnerable to man-in-the-middle attacks using fake certificates.

Fifty percent of the tested apps implemented UIWebView, an iOS feature for displaying Web content in applications, in an insecure way, making them vulnerable to JavaScript injections (cross-site scripting), Sanchez said in a blog post. In some cases, native iOS functionality was exposed to the UIWebView, allowing actions such as sending SMS or emails from the victim's device, he said.

Sanchez presented an example where a rogue HTML form was injected into a vulnerable UIWebView implementation from one of the apps. That form was designed to trick the user into entering their username and password and then send them back to the attacker.

"Another concern brought to my attention while doing the research was that 70% of the apps did not have any alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks," Sanchez said.

Many apps exposed sensitive information such as usernames and passwords and hidden URL paths that could expose the back-end server structure through the iOS system log. Other apps exposed information through their crash reports, which could help attackers find and develop exploits for them, and some apps had credentials hard-coded directly into their code.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness