Security analysis of mobile banking apps reveals significant weaknesses
Many apps failed to validate SSL certificates and exposed sensitive information, a researcher from IOActive said
IDG News Service - A security analysis of mobile banking apps for iOS devices from 60 financial institutions around the world has revealed that many were vulnerable to various attacks and exposed sensitive information.
Ariel Sanchez, a consultant at security firm IOActive, analyzed how the banking apps communicate with servers, how they store data locally, whether they were compiled with security options, what information they expose through logs and whether they have vulnerabilities in their code.
The researcher found that all tested applications could be installed and run on jailbroken devices. This is a security risk in itself, because jailbreaking circumvents iOS protections and allows apps running on the device to access the restricted resources of other apps that would normally be inaccessible on non-jailbroken devices.
In addition, even when using encryption, 40 percent of the tested apps did not validate the authenticity of digital certificates they received from the server, making them vulnerable to man-in-the-middle attacks using fake certificates.
Sanchez presented an example where a rogue HTML form was injected into a vulnerable UIWebView implementation from one of the apps. That form was designed to trick the user into entering their username and password and then send them back to the attacker.
"Another concern brought to my attention while doing the research was that 70% of the apps did not have any alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks," Sanchez said.
Many apps exposed sensitive information such as usernames and passwords and hidden URL paths that could expose the back-end server structure through the iOS system log. Other apps exposed information through their crash reports, which could help attackers find and develop exploits for them, and some apps had credentials hard-coded directly into their code.
"After taking a close look at the file system of each app, some of them used an unencrypted SQLite database and stored sensitive information, such as details of customer's banking account and transaction history," Sanchez said. "An attacker could use an exploit to access this data remotely, or if they have physical access to the device, could install jailbreak software in order to steal to the information from the file system of the victim's device."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Survey Report: Mobile Content Security and Productivity Read this report to learn how important mobile access is to users, how likely they are to by-pass authorized systems, how compliant current...
- Enterprise Mobility Management: A Data Security Checklist This document presents a checklist of features organizations should review when evaluating a data security solution as part of an enterprise mobility management...
- BYOD File Sharing - Go Private Cloud to Mitigate Data Risks Read this whitepaper to learn the security risks associated with not having an IT endorsed file sharing solution, and why your organization should...
- Mobile Device Management Buyers Guide Mobile device management (MDM) solutions allow IT organizations to centrally manage, monitor and support mobile devices. In this guide, you'll learn what you...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Mobile Security White Papers | Webcasts