Most apps from top banks are insecure

Posted on Posted in Data Breach, Security

In a study of 40 iOS banking apps from a a variety of countries across the world security apparently wasn’t a requirement!

40% of the audited apps do not bother to validate the authenticity of SSL certificates presented by the Banks web back end.

Other than why bother with SSL if you’re not going to use it, skipping this basic check renders apps susceptible to MiTM (Man in The Middle) attacks, which any script kiddie can instigate with a basic Google search and minimal skills

90% of the apps had non-SSL links embedded within the app, which would allow hackers to inject arbitrary code in the form of malformed HTML or JavaScript code.

50% of the apps are vulnerable to cross-site-scripting (XSS) attacks, and also had the native iOS functionality exposed in some cases.

XSS renders the apps vulnerable to JavaScript injections, which could come in the form of phishing attacks that tricks victims into retyping their username and password by bringing up a fake prompt within the app.

exposing iOS functionality could allow actions such as sending SMS or emails from the victim’s device.

How to fix it?

Two factor authentication using a dongle, SMS or voice channel.

Oh and basic security testing of an app would be good as well

IOActive Labs Research: Personal banking apps leak info through phone.

Leave a Reply