Banking apps: insecure and badly written, say researchers
Buggy code, bad security
Security researchers IO Active are warning that many smartphone banking apps are leaky and need to be fixed.
Testing 40 iOS-based banking apps from 60 banks around the world, the research summary is pretty nerve-wracking:
- 40 per cent are vulnerable to man-in-the-middle attacks, because they don't validate the authenticity of SSL certificates presented by the server;
- 20 per cent lacked “Position Independent Executable (PIE) and Stack Smashing Protection enabled”, which IO Active says is used to help mitigate memory corruption attacks;
- Half the apps are vulnerable to cross-site-scripting (XSS) attacks;
- Over 40 per cent leave sensitive information in the system log; and
- Over 30 per cent use hard-coded credentials of some kind.
Most worrying, however, are a couple of 90 per cent statistics: the number of apps that included non-SSL links, and the number that lack jailbreak detection. Even those with detection could still be installed: “All of the applications could be installed on a jailbroken iOS device. This helped speed up the static and black box analysis”, writes IO Active's Ariel Sanchez.
This UIWebView implementation allows a false HTML form to be injected. Source: IO Active
The IO Active post also details a number of other information leaks, including unencrypted data stored in sqlite databases, and information like IP addresses and application paths that could let a determined and skilled attacker draw inferences about the server-side infrastructure the app is talking to.
The research only looked at the client side, Sanchez states, and where possible, IO Active notified banks of the vulnerabilities he identified. ®