Most iPhone Banking Apps Have Security Flaws

Mobile banking is convenient, but is it safe? A report from security-assessment firm IOActive suggests that most mobile banking apps for iPhone and iPad are full of flaws.

IOActive researcher Ariel Sanchez recently studied the security features of 40 mobile banking apps for iOS, including the apps used by some of the world's leading financial institutions.

For his analysis, Sanchez looked at several key security features, including how the apps communicated with servers, how they stored data locally, which additional layers of security each app had in place, what kind of information they exposed through logs and whether the apps' code contained vulnerabilities.

All of the apps that Sanchez tested could be installed and run on jailbroken devices, which have been modified by the user to accept apps unauthorized by Apple. Running an app on a jailbroken device lets attackers circumvent the security features built into iOS and access the restricted resources of other apps on a user's device.

MORE: 10 Pros and Cons of Jailbreaking Your iPhone or iPad

In an IOActive blog post outlining his research, Sanchez noted that 40 percent of the apps tested had compromised transport mechanisms — a vulnerability that leaves app users susceptible to man-in-the-middle attacks. In such attacks, users may be redirected to malicious sites where their login information can be stolen.

Man-in-the-middle attacks are more easily carried out on untrusted networks — such as Wi-Fi hotspots — making mobile banking from a coffee shop seem less a convenience and more of a nightmare waiting to happen.

Sanchez also found that 90 percent of the banking apps he looked at contained non-SSL links, which allows attackers to intercept traffic to the app and inject arbitrary JavaScript or HTML code. Such a vulnerability could allow attackers to create fake login prompts, resulting in stolen usernames and passwords for mobile banking customers.

Fifty percent of the apps Sanchez tested were also found to be vulnerable to JavaScript injections via insecure UIWebView, an iOS feature for displaying Web content on apps. This makes the apps vulnerable to cross-site scripting, in which changes to one website affect the content or behavior of another.

In his blog post, Sanchez notes that phishing attacks that utilize cross-site scripting have become very popular lately, often resulting in the theft of a victim's login credentials. In a typical attack, the user might be asked to reenter his or her username and password "because the online banking session has expired." In the case of mobile banking, such an attack can give cybercriminals full access to a customer's bank accounts.

Two-factor authentication (also known as two-step verification) — a popular security feature used by sites such as Google, Facebook, Twitter and LinkedIn — could certainly help mitigate the risk of impersonation attacks, Sanchez wrote.

Yet this feature is noticeably absent from most of the apps tested, with only 30 percent of the mobile-banking apps in the study offering some form of alternative authentication solution.

MORE: How to Turn On Two-Step Verification

In addition to the lack of two-step verification, Sanchez found that some mobile banking apps leak sensitive information via system logs and crash reports. Sanchez found that the data intercepted from the crash reports of certain apps could be used by an attacker to build a targeted exploit or malware package — another potential nightmare for mobile banking customers.

While Sanchez didn't identify the specific apps he found to be vulnerable, he did say that at least some of the banks whose apps he tested had been notified of his findings.

In his blog post, Sanchez offered some recommendations for developers of mobile banking apps to consider in the future. These include tightening the security of transfer protocols for all connections made with such apps, enforcing SSL certificate checks by the client application, encrypting data using iOS's own data protection, improving checks for detecting jailbroken devices and removing all development code from the production application.

Until such improvements are implemented, mobile banking customers may want to think twice about whether the convenience of paying bills from an iPhone or iPad is really worth the risk.

Follow Elizabeth Palermo @techEpalermo on Facebook or on Google+. Follow us @tomsguide on Facebook or on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
1 comment
Comment from the forums
    Your comment
  • JBLCrypt
    Some of the issues addressed can be mitigated by using state of the art code protection technology to detect jail broken devices before allowing the app to launch, to hide secrets (cryptographic keys), protect logs and other data that should never be in the clear within the applications and otherwise hamper application reverse engineering efforts. Cryptanium provides such a suite of state of the art code protection tools. See our blogpost at https://www.cryptanium.com/blog/mobile_banking_and_mobile_payment_apps_vulnerabilities_exposed responding to Mr. Sanchez's study
    0