Personal banking apps leak info through phone

An IOActive researcher used iPhones and iPads to test 40 home banking apps from the top 60 most influential banks in the world (for countries included in research see the map above). The testing found that 90% of the apps contain non-SSL links, enabling any attacker to intercept traffic and inject code in an attempt to create a fake login prompt or similar scam.

“For several years I have been reading about flaws in home banking apps, but I was skeptical. To be honest, when I started this research I was not expecting to find any significant results. The goal was to perform a black box and static analysis of worldwide mobile home banking apps.”, says Ariel Sanchez, the author of the research.

After 40 hours (non-consecutive) of research, Sanchez finds out that many of the world’s biggest banks have serious security flaws in their mobile apps which could leave customers – and the banks themselves – vulnerable to attackers.

Many of the apps (90%) contained several non-SSL links throughout the application. “This allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”, according to Sanchez.

Moreover, it was found that 50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality was exposed, allowing actions such as sending SMS or emails from the victim’s device.

Many apps – 40% – do not validate the authenticity of SSL certificates presented, leaving them open to man-in-the-middle attacks. Nearly three quarters also don’t have multi-factor authentication, which could help to mitigate the risk of impersonation attacks.

“Another concern brought to my attention while doing the research was that 70% of the apps did not have any alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks.

Most of the logs files generated by the apps, such as crash reports, exposed sensitive information. This information could be leaked and help attackers to find and develop 0day exploits with the intention of targeting users of the application.”, added Sanchez.

Also, the analyst pointed out that a new generation of phishing attacks has become very popular in which the victim is prompted to retype his username and password “because the online banking password has expired”. The attacker steals the victim’s credentials and gains full access to the customer’s account.

As a final comment, the researcher calls for more security: “Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions.”

All tests were only performed on the application (client side); the research excluded any server-side testing. Some of the affected banks were contacted and the vulnerabilities reported.