Slashdot Mirror
Major Security Holes Found In Mobile Bank Apps
NeverVotedBush writes with this excerpt from CNet:
"A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps. ... Specifically, viaForensics concluded that: the USAA's Android app stored copies of Web pages a user visited on the phone; TD Ameritrade's iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo's Android app stored user name, password, and account data in plain text on the phone; Bank of America's Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase's iPhone app stores the username on a phone if the user chose that option, according to the report. Meanwhile, the iPhone apps from USAA, Bank of America, Wells Fargo, and Vanguard and PayPal's Android app all passed the security tests and were found to be handling data securely."
Sounds like a win for the iPhone
my karma will be here long after I'm gone
Just because a PayPal app might be handling data correctly doesn't mean another app isn't attaching to the keyboard TTY and sniffing your keystrokes, or accessing data through another mechanism. This is what happened to me on the iPhone with PayPal, and I got ripped off.
This is the risk we take with new technology. Everyone wants to jump on board without really understanding the inherent risks and assuming manufacturers like Apple (who was silent to my forensic evidence) does the right thing or is even capable of auditing every line of code. Early on, I am willing to bet the Apple App Store was rife with programs either inappropriately accessing or outright stealing personal data. Look at what's been going on with Android. There's a market for that stuff -- we must keep that in mind.
The bottom line for me is I will never do any "sensitive" (financial) type work on a mobile device.