More like this

Security

iOS banking apps security still not good enough, says researcher

Repeat test throws up improved results from 2013 but problems remain

Mobile banking, image via Shutterstock

The security of mobile banking apps has improved over the last two years but there’s still scope for improvement.

Ariel Sanchez, security consultant for IOActive, has revisited research into the topic first conducted two years ago to see if there’s been any improvement.

Although security has increased over the two years, many apps still remain vulnerable.

As before, the research covered 40 mobile banking apps for iOS in use around the world. Sanchez confined himself to looking for client side security weaknesses or vulnerabilities and didn’t include any server-side testing.

His testing methodology is explained in much more detail in a blog post here. IOActive does not name the apps or the banks who released the apps it tested.

Five of the 40 audited apps failed to validate the authenticity of the SSL certificates presented, which makes them susceptible to Man-in-The-Middle (MiTM) attacks. And more than a third (35 per cent) of the apps contained non-SSL links throughout the application. This shortcoming would allow an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or attempt similar scams.

In addition 30 per cent of them failed to validate incoming data. leaving them potentially vulnerable to JavaScript injections. The results may not appear impressive but at least they are an improvement on results from 2013.

The testing also covered binary and file system analysis. this phase of the audit revealed that 15 per cent of the apps store unencrypted and sensitive information, such as details about customers’ banking accounts and transaction history, in the file system via sqlite databases or other plaintext files.

“Most of the apps have increased transport security of the data by properly validating SSL certificates or removing plaintext traffic,” Sanchez concluded. “This helps mitigate the risk of users being exposed to MiTM attacks.”

“Although the numbers are down overall, there are still a high number of apps storing insecure data in their file system. Many of them are still susceptible to client-side attacks,” he added.

Sanchez added that few of apps provide alternative authentication solutions, with most relying simply on username and password for authentication. Only 17 of the 40 (42.5 per cent) of the apps provided alternative authentication solutions to mitigate the risk of leaking user credentials and impersonal attacks. ®

Sponsored: 2016 Cyberthreat defense report