Stevie Graham: Why I hack mobile banking apps
Sidenote: He's a mite better at redacting than the FBI
QCon One of the highlights of the QCon software development conference in London last week was Stevie Graham's presentation on reverse-engineering mobile banking apps.
"Who's ever wanted a banking API?" Graham asked his audience, mainly developers and including numerous attendees with the names of well-known banks on their badges. A generalised banking API would enable developers to build apps to get to the bank accounts of their end users, but no such thing yet exists. The closest is a third-party service called Yodlee, which works by parsing the HTML of online banking sites, a technique called screen-scraping. "It's slow; it's brittle," said Graham.
Stevie Graham is founder of Teller, a startup which plans to offer a more robust banking API to developers, so that end users of their apps could retrieve past transactions, move money between accounts, and make payments using the Faster Payments Service.
It occurred to Graham that banks already have public-facing APIs, to support their mobile apps. "They're fast, it's structured data, you don't have to parse out this unpredictable crappy HTML. There's high inertia for breaking changes, because it's a mobile channel, if they make a breaking change to the API they break all their mobile clients," he explained.
This is why he set himself the task of analyzing mobile apps from banks like RBS and Barclays to discover how they communicated with their servers.
The technical aspect of Graham's presentation made it compelling. One idea is a man-in-the-middle proxy, where the app communicates with your server thinking that it is talking to the bank's servers, but this does not work with banking apps, he explained. They use a technique called SSL pinning, where the app has a copy of the bank's security certificate, and verify that the server is using that same certificate for encryption.
There are ways round this, Graham remarked, but it is not worth trying to circumvent it. Instead, he used a technique called method hooking, where the functions in the app itself are augmented by the hacker. Objective C makes this easy, he said, because of its dynamic dispatch system which defers the decision about which function to call until runtime. "You can insert shims that decorate or completely replace implementations," he said.
It is not as simple as that though, thanks to steps taken by the banking app developers to make them harder to reverse-engineer.
"Some banks, like Barclays, take numerous steps to obfuscate," Graham said. Nor did he share all his secrets, but he was able to demonstrate his success; though he said the effort took him most of a year.
Why go to all this trouble, when HM Treasury is already requiring the banks to come up with an Open Banking Standard, and has set up the Open Banking Working Group to proceed with it?
"It's a question of incentives and committee-based design," Graham told the Reg. "If you look at who is represented in that working group, it's pretty much the incumbent banks. There's a few from challenger banks. Banks are an oligopoly – the rational thing for them to do is not to innovate. I feel they will subvert the process. There are so many people involved, so many reasons to stop things happening. Banks will subvert the user experience to stop people using APIs. They could plausibly make the security argument. Security people tend to say, you can't do that, and work from there."
The session itself provided evidence of nervousness on the part of the banks. "Banks are being strong-armed by the government, we've got to publish an API, but they know that is the beginning of the end for them," said one attendee.
The risk for the banks is that if third parties can manage the accounts of their end users programmatically, it diminishes the customer relationship.
"If you focus on building the best possible experience, and own that channel, completely abstracting the banks into dumb pipes, then it doesn't matter where your current account is. You can switch behind the scenes," said Graham.
Might he be thwarted by some revised mobile banking app that he cannot reverse-engineer?
"I have possession of the device. I can see the data that's on the device. If the OS can execute the app, it's possible for a human theoretically to reason about how it works. Barclays maybe want to protect their users from malware. That's a legitimate reason for hardening the apps. I'll still crack them. It's going to be an arms race, a game of whack-a-mole," said Graham.
"I don't want to reverse-engineer apps. I did it as a conversation starter, here's what's possible," he adds. He has, perhaps naively, a belief in the democratising power of technology to make life better for ordinary people.
"I have an ideology about what I want to achieve. I fundamentally believe if you are going to do something, it should have a positive impact on the user's life." ®
Sponsored: Becoming a Pragmatic Security Leader