Love your banking app? It’s probably insecure and full of dodgy code



As with so many aspects of our lives, smartphones have helped us make some serious changes to the way we go about doing our banking. It makes sense too, banking apps are convenient, can be easy to use if done properly and allow their makers to go beyond the scope of traditional internet banking.

But have you ever stopped to wonder exactly how secure your that app you love so much really is? According to security research company IOActive Labs, the most likely answer to that is “not very”.

The research used iPhone/iPad devices to test a total of 40 home banking apps from 60 of the most influential banks in the world and found some pretty big vulnerabilities.

Forty percent of the audited apps did not, for instance, validate the authenticity of SSL certificates presented. This makes them susceptible to Man in The Middle (MiTM) attacks — a form of active eavesdropping in which the attacker makes independent connections with victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

The vast majority of the apps (90%) meanwhile reportedly contained several non-SSL links throughout the application. According to IOActive Labs’ Ariel Sanchez, “this allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam”.

Alarmingly, around half of the apps contained vulnerabilities that, if exposed, would allow attackers to send SMSes and emails via the victim’s device.

Sanchez also warns that a new generation of phishing attacks has become very popular “in which the victim is prompted to retype his username and password ‘“because the online banking password has expired”’. Once that happens that attacker can gain full access to the person’s account and plunder at will.

One example Sanchez identified “allows a false HTML form to be injected which an attacker can use to trick the user into entering their username and password and then send their credentials to a malicious site”.

A number of the apps also reportedly included sensitive information in their log files, which could potentially be dangerous if an attacker managed to get their hands on it.

According to Snachez, some of the banks suffering serious vulnerabilities in their app were notified about them. Unfortunately a lot of these vulnerabilities and exploits aren’t ones that the people using smartphone banking apps can readily avoid and the path to fixing them appears to lie mainly with the financial institutions themselves.



Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.