Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mobile Banking Apps For iOS Woefully Insecure

Posted by Soulskill on from the raise-your-hand-if-you're-surprised dept.

msm1267 writes "Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none have provided feedback indicating the vulnerabilities were patched."

5 of 139 comments (clear)

  1. You Must Be Crazy ... by jasnw · · Score: 4, Interesting

    ... to bank from your cellphone. Call me paranoid and old-fashioned (I admit to being both), but if I do on-line banking at all I do it from my own home computer on a wired LAN. OK, so I can't do all the wild-and-crazy things these mobile banking apps allow, but I also am likely to have my money in my bank in my account at the end of the day and not in a bank account in Siberia somewhere.

    1. Re:You Must Be Crazy ... by Anonymous Coward · · Score: 4, Interesting

      I'd argue that on a non-jailbroken iOS device you might be more secure than on your home computer and wired LAN. Your home computer is far more likely to be infected with keylogging malware or similar.

    2. Re:You Must Be Crazy ... by 0123456 · · Score: 5, Interesting

      Who's writing keylogging malware for CentOS?

  2. Re:feedback by icebike · · Score: 1, Interesting

    Most of these banks are contracting mobile development out.

    I would bet that 80% of these 60 banks are buying the same moderately customized app(s) from the same vendors.
    I would also suspect there will be similar flaw with the android versions.

    Given that most banks don't have any in-house mobile development, they are probably all descending on
    the few vendors that wrote and customized these apps, an they will all get fixed about the same time.

    --
    Sig Battery depleted. Reverting to safe mode.
  3. Re:feedback by buddyglass · · Score: 5, Interesting

    I'm responsible for the Android offering of one such vendor. We currently have about 140 small banks running some version of our app. We try to follow most of the security guidelines outlined in this article, but to give our customers added assurance we pay a security company to analyze the most current version of our app (and our back-end services) every six months or so. Not the one responsible for this article, though I imagine they're a competitor of the one we use. Was a good read. I forwarded it to my boss and the coworkers responsible for our iOS app.