Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mobile Banking Apps For iOS Woefully Insecure

Posted by Soulskill on from the raise-your-hand-if-you're-surprised dept.

msm1267 writes "Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none have provided feedback indicating the vulnerabilities were patched."

12 of 139 comments (clear)

  1. feedback by Threni · · Score: 5, Insightful

    How long do you think it'll take them to come back with feedback? They'll need to work out whose fault it was, who they can blame, what they're going to do about it, the impact of blaming the people whose fault it wasn't, and all the time looking good to upper management. Lessons will be learnt, and this will definitely not happen again, just like always.

    1. Re:feedback by buddyglass · · Score: 5, Interesting

      I'm responsible for the Android offering of one such vendor. We currently have about 140 small banks running some version of our app. We try to follow most of the security guidelines outlined in this article, but to give our customers added assurance we pay a security company to analyze the most current version of our app (and our back-end services) every six months or so. Not the one responsible for this article, though I imagine they're a competitor of the one we use. Was a good read. I forwarded it to my boss and the coworkers responsible for our iOS app.

  2. You Must Be Crazy ... by jasnw · · Score: 4, Interesting

    ... to bank from your cellphone. Call me paranoid and old-fashioned (I admit to being both), but if I do on-line banking at all I do it from my own home computer on a wired LAN. OK, so I can't do all the wild-and-crazy things these mobile banking apps allow, but I also am likely to have my money in my bank in my account at the end of the day and not in a bank account in Siberia somewhere.

    1. Re:You Must Be Crazy ... by Anonymous Coward · · Score: 4, Interesting

      I'd argue that on a non-jailbroken iOS device you might be more secure than on your home computer and wired LAN. Your home computer is far more likely to be infected with keylogging malware or similar.

    2. Re:You Must Be Crazy ... by 0123456 · · Score: 5, Interesting

      Who's writing keylogging malware for CentOS?

    3. Re:You Must Be Crazy ... by burne · · Score: 3, Informative

      No need to, it's built into the OS. It even has a nice cli to handle starting, stopping and logging. ttysnoop.

      However, getting sufficient permissions is the hard bit, especially for a remote attacker.

    4. Re:You Must Be Crazy ... by icebike · · Score: 3, Insightful

      The government already has access to my bank account. They don't need to break into my computer to get it.
      .

      (Not discounting they might have broken into my computer for some other reasons).

      --
      Sig Battery depleted. Reverting to safe mode.
  3. Seriously, guys? by fuzzyfuzzyfungus · · Score: 3, Insightful

    So, are these banks' websites just as bad, or did they actually manage to re-implement something worse than just wrapping their site in a suitable stylesheet and calling that 'an app'? If the latter, how do they look themselves in the mirror every morning?

  4. these guys pushed the 4 digit pin by RichMan · · Score: 5, Funny

    The banking people made the glory of the 4 digit decimal PIN authentication a universal standard.
    I am sure they know all about very secure systems and the public domain.

  5. List of Vulnerable Banks / Bank Apps, Please? by IonOtter · · Score: 3, Insightful

    Which banks, please? Can we please have a list of which banks fail basic programming???

    --
    [End Of Line]
    1. Re:List of Vulnerable Banks / Bank Apps, Please? by Anonymous Coward · · Score: 5, Insightful

      While I agree a list would be nice, please don't spread lies that this is "basic" programming. If it were, there wouldn't be so many issues.

      Hardening and securing an application against sophisticated attacks (yes, I know not all of the attacks are 'sophisticated') is a non-trivial piece of work requiring expert knowledge and experience in security programming. I doubt you could do it. I doubt most people here could do it. I consider myself an expert software developer and I doubt I could do it.

      More to the point, spreading the myth that this is "basic" is exactly the sort of attitude that allows these practices to continue. When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves. It's easy, right? Rather than respecting this field for what it is - highly specialized and difficult work - the exact problem that needs solving is perpetuated by your snarky and uninformed attitude.

      So for everybody's sake, just cut the condescending attitude. Thanks.

  6. Re:Relying on internal 'talent' by fuzzyfuzzyfungus · · Score: 4, Insightful

    What surprises me is that TFA mentioned multiple cases of things like failure to validate SSL certs, use of unencrypted assets rendered by the app in ways that could be spoofed dangerously, and similar stuff that wouldn't have gotten past their web people; but apparently are A-OK because it isn't a web browser, it's an 'app' wrapped around the UIWebView class!

    The other things they mention, assorted attacks or failures to mitigate against an attacker with priviledged access to the system, aren't good; but they are both less dangerous (at least to people running stock iOS) and more novel and platform-specific. The first class of bugs, though, should have been solved a decade or more ago when they started dabbling in this 'web' stuff.