Report: Major Security Flaws in Top 90% of iOS Mobile Banking Apps

Mobile banking sure is convenient, but we could all end up paying for that convenience, quite literally. With most Americans touting smartphones these days, so are most Americans using mobile banking apps to check balances, pay bills and the like. One would assume that a mobile banking app would be touting some major, heavy-duty security, right? Like the armored truck of software type. Right?

Wrong, says a new study published by security researcher Ariel Sanchez of IOActive Labs. Sanchez’s study found that 90% of mobile banking apps have some pretty gaping holes in them that could allow outsiders access to your most personal of personal data. Aside from those naked selfies.

In the report, Sanchez tested out iOS versions of mobile banking apps, checking 40 in all. Sanchez tested apps from the top 60 most influential banks in the world. Sanchez completed the tests in just 40 hours, testing many security tests such as data storage, logging, transport security and compiler protection.

Here are just a few of Sanchez’s findings:

“Many of the apps (90%) contained several non-SSL links throughout the application. This allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam. Moreover, it was found that 50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality was exposed, allowing actions such as sending SMS or emails from the victim’s device.”

Sanchez also warns of a new generation of phishing, in which attacks take the form of a prompt asking the user to re-enter their password “because the online banking password has expired.” After an attack like that, the attacker has full access to your mobile banking app and account information.


On top of that, Sanchez found that 70% of the apps did not contain multi-factor authentication, which is a simple step in ensuring ones sensitive data stays safe. Crash reports also revealed sensitive information, increasing the likelihood of exploitations. 20 percent of the apps use plaintext communication, meaning that your data is plain as day for anyone who intercepts the communication to see.

So, what steps can we as consumers take to protect ourselves? Not much at the moment, aside from not using mobile banking apps altogether. Sanchez has some recommendations for mobile app developers however, and are as follows:

  • Ensure that all connections are performed using secure transfer protocols
  • Enforce SSL certificate checks by the client application
  • Protect sensitive data stored on the client-side by encrypting it using the iOS data protection API
  • Improve additional checks to detect jailbroken devices
  • Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary
  • Remove all debugging statements and symbols
  • Remove all development information from the production application

The bottom line? Get your act together, big banks. We need more security.

Click here to read the full report.

via: BGR , IOActive Labs

Back to top ▴