I work for a descent size bank and we tried Mercury Application Mapping (bought out my HP). It uses nmap which security freaked out over. Once it goes out and finds everything, it draws lines to and from each component. It does this by looking at certain config files in each app (web, app, db, etc.) which was cool but permissions were a hassle. In the long run it took quite a lot of effort to get anything out of the package and we eventually scrapped it completely. It costs big bucks or at least it did for us and not it sits somewhere not being used...that never happens of course.
It's hard to believe that anyone can write a mobile banking app for say Wells Fargo, not even saying they are Wells Fargo in the developer's name field and Google blindly let's it through the gate. I can only hope this mind boggling slip up isn't how they handle our data.
http://slashdot.org/submission/1146708/mobile-phone-banking-apps-for-fun-and-profit?art_pos=2...writes "While checking out Google's Android app store I searched for a banking app to use with my bank. I was surprised to see three mobile apps listed and none of them released from the bank itself. I cannot say what any of these apps are doing behind the scenes for sure but the mobile app could certainly swipe your credentials and connect you to the bank at the same time a lot more convincingly than any phishing site could. Is this the beginning of mobile app phishing? It's hard to believe nobody at the app store end is checking to see if the app has been legitimately released/signed from the actual bank it's representing. It makes me wonder what other apps are out there mining people's personal data, phishing, etc. and what can be done about this potential risk to safeguard the general public? Has anyone else run into similar situations? Anti-phishing software like Nokia's Free Anti-Phishing app or mobile Safari's similar feature wouldn't protect the mobile user from an application doing something in via code behind the scenes. Perhaps only a code walk-through or a legit certificate would remedy this situation. Any thoughts?"
Slashdot Mirror
I work for a descent size bank and we tried Mercury Application Mapping (bought out my HP). It uses nmap which security freaked out over. Once it goes out and finds everything, it draws lines to and from each component. It does this by looking at certain config files in each app (web, app, db, etc.) which was cool but permissions were a hassle. In the long run it took quite a lot of effort to get anything out of the package and we eventually scrapped it completely. It costs big bucks or at least it did for us and not it sits somewhere not being used...that never happens of course.
LOL nice! thanks for the kind words stranger
It's hard to believe that anyone can write a mobile banking app for say Wells Fargo, not even saying they are Wells Fargo in the developer's name field and Google blindly let's it through the gate. I can only hope this mind boggling slip up isn't how they handle our data.
http://slashdot.org/submission/1146708/mobile-phone-banking-apps-for-fun-and-profit?art_pos=2 ...writes "While checking out Google's Android app store I searched for a banking app to use with my bank. I was surprised to see three mobile apps listed and none of them released from the bank itself. I cannot say what any of these apps are doing behind the scenes for sure but the mobile app could certainly swipe your credentials and connect you to the bank at the same time a lot more convincingly than any phishing site could. Is this the beginning of mobile app phishing? It's hard to believe nobody at the app store end is checking to see if the app has been legitimately released/signed from the actual bank it's representing. It makes me wonder what other apps are out there mining people's personal data, phishing, etc. and what can be done about this potential risk to safeguard the general public? Has anyone else run into similar situations? Anti-phishing software like Nokia's Free Anti-Phishing app or mobile Safari's similar feature wouldn't protect the mobile user from an application doing something in via code behind the scenes. Perhaps only a code walk-through or a legit certificate would remedy this situation. Any thoughts?"
MacOS X as in Xcept the future
nice!