Love your banking app? It’s probably insecure and full of dodgy code

email article email article print article print article tip @techmeme

Mobile

As with so many aspects of our lives, smartphones have helped us make some serious changes to the way we go about doing our banking. It makes sense too, banking apps are convenient, can be easy to use if done properly and allow their makers to go beyond the scope of traditional internet banking.

But have you ever stopped to wonder exactly how secure your that app you love so much really is? According to security research company IOActive Labs, the most likely answer to that is “not very”.

The research used iPhone/iPad devices to test a total of 40 home banking apps from 60 of the most influential banks in the world and found some pretty big vulnerabilities.

Forty percent of the audited apps did not, for instance, validate the authenticity of SSL certificates presented. This makes them susceptible to Man in The Middle (MiTM) attacks — a form of active eavesdropping in which the attacker makes independent connections with victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

The vast majority of the apps (90%) meanwhile reportedly contained several non-SSL links throughout the application. According to IOActive Labs’ Ariel Sanchez, “this allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam”.

Alarmingly, around half of the apps contained vulnerabilities that, if exposed, would allow attackers to send SMSes and emails via the victim’s device.

Sanchez also warns that a new generation of phishing attacks has become very popular “in which the victim is prompted to retype his username and password ‘“because the online banking password has expired”’. Once that happens that attacker can gain full access to the person’s account and plunder at will.

One example Sanchez identified “allows a false HTML form to be injected which an attacker can use to trick the user into entering their username and password and then send their credentials to a malicious site”.

A number of the apps also reportedly included sensitive information in their log files, which could potentially be dangerous if an attacker managed to get their hands on it.

According to Snachez, some of the banks suffering serious vulnerabilities in their app were notified about them. Unfortunately a lot of these vulnerabilities and exploits aren’t ones that the people using smartphone banking apps can readily avoid and the path to fixing them appears to lie mainly with the financial institutions themselves.

email article email article print article print article

Related articles

Topics for this article

[ advertising enquiries ]

Share
  • BURN MEDIA TV

    WATCH THE LATEST EPISODE NOW
    Latest Episode
    Review of Facebook Group app

MORE HEADLINES

news

VIEW MORE

interviews

VIEW MORE

future trends

VIEW MORE

entrepreneurship

VIEW MORE

social media

VIEW MORE

facebook

VIEW MORE

twitter

VIEW MORE

google

VIEW MORE

advertising & marketing

VIEW MORE

online media

VIEW MORE

design

VIEW MORE

mobile

VIEW MORE

More in General, Mobile, Mobile apps

Smartphones and emerging markets: where we're headed in 2014

Read More »