Mobile banking is convenient, but is it safe? A report from security-assessment firm IOActive suggests that most mobile banking apps for iPhone and iPad are full of flaws.
IOActive researcher Ariel Sanchez recently studied the security features of 40 mobile banking apps for iOS, including the apps used by some of the world's leading financial institutions.
For his analysis, Sanchez looked at several key security features, including how the apps communicated with servers, how they stored data locally, which additional layers of security each app had in place, what kind of information they exposed through logs and whether the apps' code contained vulnerabilities.
All of the apps that Sanchez tested could be installed and run on jailbroken devices, which have been modified by the user to accept apps unauthorized by Apple. Running an app on a jailbroken device lets attackers circumvent the security features built into iOS and access the restricted resources of other apps on a user's device.
In an IOActive blog post outlining his research, Sanchez noted that 40 percent of the apps tested had compromised transport mechanisms — a vulnerability that leaves app users susceptible to man-in-the-middle attacks. In such attacks, users may be redirected to malicious sites where their login information can be stolen.
Man-in-the-middle attacks are more easily carried out on untrusted networks — such as Wi-Fi hotspots — making mobile banking from a coffee shop seem less a convenience and more of a nightmare waiting to happen.
In his blog post, Sanchez notes that phishing attacks that utilize cross-site scripting have become very popular lately, often resulting in the theft of a victim's login credentials. In a typical attack, the user might be asked to reenter his or her username and password "because the online banking session has expired." In the case of mobile banking, such an attack can give cybercriminals full access to a customer's bank accounts.
Two-factor authentication (also known as two-step verification) — a popular security feature used by sites such as Google, Facebook, Twitter and LinkedIn — could certainly help mitigate the risk of impersonation attacks, Sanchez wrote.
Yet this feature is noticeably absent from most of the apps tested, with only 30 percent of the mobile-banking apps in the study offering some form of alternative authentication solution.
In addition to the lack of two-step verification, Sanchez found that some mobile banking apps leak sensitive information via system logs and crash reports. Sanchez found that the data intercepted from the crash reports of certain apps could be used by an attacker to build a targeted exploit or malware package — another potential nightmare for mobile banking customers.
While Sanchez didn't identify the specific apps he found to be vulnerable, he did say that at least some of the banks whose apps he tested had been notified of his findings.
In his blog post, Sanchez offered some recommendations for developers of mobile banking apps to consider in the future. These include tightening the security of transfer protocols for all connections made with such apps, enforcing SSL certificate checks by the client application, encrypting data using iOS's own data protection, improving checks for detecting jailbroken devices and removing all development code from the production application.
Until such improvements are implemented, mobile banking customers may want to think twice about whether the convenience of paying bills from an iPhone or iPad is really worth the risk.