Sophos Cloud Optix
Ariel Sanchez, a researcher at security assesment company IOActive, recently published a fascinating report on the sort of security you can expect if you do your internet banking on an iPhone or iPad.
The answer, sadly, seems to be, “Very little.”
You should head over to IOActive’s blog to read the whole report.
Sanchez details the results of a series of offline security tests conducted against 40 different iOS banking apps used by 60 different banks in about 20 different countries.
Two problems stood out particularly:
- 70% of the apps offered no support at all for two-factor authentication.
- 40% of the apps accepted any SSL certificate for secure HTTP traffic.
Two-factor authentication
Banks are not alone in embracing and promoting two-factor authentication (2FA), also known as two-step verification.
Sites like Facebook, Twitter, and Outlook.com all offer, and encourage, the practice, for example by sending you an SMS (text message) containing a one-time passcode every time you try to log in.
The extra security this provides is obvious: crooks who steal your regular username and password are out of luck unless they also steal your mobile phone, without which they won’t receive the additional codes they need to login each time.
Interested in two-factor authentication?
You’d think that once a company had gone to the trouble of implementing 2FA for its customers, it would make it available to all its users.
But many of the banks, just like the social networks and webmail services, have let their mobile apps lag behind.
No support for 2FA, however, pales into insignificance when compared to the second problem: no HTTPS certificate validation.
The chain of trust
HTTPS certificates rely on a chain of trust, and validating that chain is important.
Here’s an example of an HTTPS connection, browsing to the “MySophos” download portal using Firefox:
If we click on the [More information...] button, we’ll see that the chain of trust runs as shown below.
GlobalSign vouches for the GlobalSign Extended Validation CA (Certificate Authority), which vouches for Sophos’s claim to own www.sophos.com:
And GlobalSign is trusted directly by Firefox itself, with that trust propagating downwards to Sophos’s HTTPS certificate:
This chain of trust stops anyone who feels like it from blindly tricking users with a certificate that says, “Hey, folks, this is sophos.com, trust us!”
Anyone can create a certificate that makes such an claim, but unless they can also persuade a trusted CA to sign their home-made certificate, you’ll see a warning that something fishy is going on when the imposter tries to mislead you:
Digging further will explain the problem, namely that you have no reason to trust the certificate’s claim that this really is a sophos.com server:
You’ll see a similar warning if you visit the imposter site from your iPhone or iPad, too:
Again, digging further will reveal the untrusted certificate, and expose the deception, making it clear that you aren’t actually dealing with sophos.com at all:
Now remember that in IOActive’s report, 40% of iOS banking apps simply didn’t produce any warnings of that sort when faced with a fake certificate.
You can feed those apps any certificate that claims to validate any website, and the app will blindly accept it.
So, if the banking app is misdirected to a phishing site, for example while you are using an untrusted network such as a Wi-Fi hotspot, you simply won’t know!
In fact, it’s not that you won’t notice, but that you can’t notice, and this is completely unacceptable.
The silver lining, I suppose, is that 60% of the 40 apps that IOActive tested did notice bogus HTTPS certificates.
The problem, though, is how you tell which camp your own bank’s app falls into.
If you aren’t sure, it’s probably best just to stick to a full-size computer, and a properly patched browser, for your internet banking.
Ironically, we wrote recently about a move by Dutch banks to set some minimum security standards that they will require customers to follow if they are to qualify for refunds of money stolen through phishing, carding or other forms of online fraud.
Sounds as though there may be a spot of “Physician, heal thyself” needed here…
Learn more about HTTPS/SSL
Image of HTTP URI on giant tablet courtesy of Shutterstock.
Usually if you’re using an app in the first place, it’s on your phone, so 2FA featuring an SMS message isn’t going to help much.
True. But many people have, say, an iPad and a phone, and many banks offer token-based 2FA (those keyfobs with a numeric sequence that changes every 30 seconds or so).
In fact, anyone with a Wi-Fi only tablet will have a second device for SMS and voice. So you think the banking apps would offer 2FA in some form, albeit with a caveat for SMS or app-based 2FA that you shouldn’t one device for banking and for authentication.
Sorry, this makes no sense to me.
Just because it is on a phone it should be less secure? Sounds like a great way to get everybody focused on hacking bank accounts through the apps.
It *shouldn’t* be less secure.
But with the banks scrambling to knit their own special-purpose mobile apps, rather than taking advantage of all the security stuff that has been progressively baked into your browser over the past two two decades…
…it looks as though there are some lessons in secure programming that are going to have to be learned all over again.
This is why I’m much, much happier to use my token and a browser for my mobile banking needs than resort to rather dodgy looking apps.
Things like security and privacy seem to go out of the window thanks to the desperate rush to have an app for absolutely everything.
I had someone tell me the other day that they had downloaded an application that gives them what seems to be effectively a “secure” single sign on for banking, email, etc….. So, if you’re logged into your phone, it’s a free for all. I was ‘concerned’ to say the least. Supposedly it stores all your passwords and memorable information in it’s database (not sure where that is stored, whether it’s encrypted or not!?) and you can just access your bank account and any other account that requires authentication directly from this wonderful app.
Just create an app and everyone will trust it with their lives, no need to phish… your net becomes full of ‘catches of the day’ without putting in too much effort.
Problem is, I can’t remember the name of it….. Well, apart from stupid.
IIRC mint.com does this. Horrifying.
All very interesting, but without naming the apps/banks concerned quite useless for Joe User who is otherwise not going to stop using their respective app.
I agree with Matt… to be effective for us users, you need to name names. A nice chart would do the trick. Who’s APP and What Security it comes with. Stats on customers claiming breaches would be nice too. Thanks for the heads up though, Paul.
By federal law cell phone companies are not held to the same security standards as an ISP. Until that is changed cell phones will always be less secure then a hard wired or even an encrypted wifi connection. Ultimately security is your own responsibility. Don’t store any passwords or usernames in any app on your phone, tablet, or computer (MAC included). Talk to your bank about your concerns, most local banks can respond quicker to such issues than the big banks the have huge corporate channels that such requests and concerns must pass through before anyone acts on it
I stick with local banks and CYA
Are you referring to ‘hybrid’ apps based on HTML5 made to look like native apps, or native apps that use WebView to access critical information?
Two Factor authentication does not mitigate man in the middle attack. One can still break HTTPS and act like a sniffer to get the required contents.
Server never trust clients, but extra care can be added to the clients to ensure that it is talking to a legitimate server. Certificate PINNING will come very handy in ensuring the channel is secure.
Very helpful article and definitely one worth sharing.