Just how secure is that mobile banking app?

Filed Under: Apple, Data loss, Featured, iOS, Phishing, Privacy

Ariel Sanchez, a researcher at security assesment company IOActive, recently published a fascinating report on the sort of security you can expect if you do your internet banking on an iPhone or iPad.

The answer, sadly, seems to be, "Very little."

You should head over to IOActive's blog to read the whole report.

Sanchez details the results of a series of offline security tests conducted against 40 different iOS banking apps used by 60 different banks in about 20 different countries.

Two problems stood out particularly:

  1. 70% of the apps offered no support at all for two-factor authentication.
  2. 40% of the apps accepted any SSL certificate for secure HTTP traffic.

Two-factor authentication

Banks are not alone in embracing and promoting two-factor authentication (2FA), also known as two-step verification.

Sites like Facebook, Twitter, and Outlook.com all offer, and encourage, the practice, for example by sending you an SMS (text message) containing a one-time passcode every time you try to log in.

The extra security this provides is obvious: crooks who steal your regular username and password are out of luck unless they also steal your mobile phone, without which they won't receive the additional codes they need to login each time.

Interested in two-factor authentication?

You'd think that once a company had gone to the trouble of implementing 2FA for its customers, it would make it available to all its users.

But many of the banks, just like the social networks and webmail services, have let their mobile apps lag behind.

No support for 2FA, however, pales into insignificance when compared to the second problem: no HTTPS certificate validation.

The chain of trust

HTTPS certificates rely on a chain of trust, and validating that chain is important.

Here's an example of an HTTPS connection, browsing to the "MySophos" download portal using Firefox:

If we click on the [More information...] button, we'll see that the chain of trust runs as shown below.

GlobalSign vouches for the GlobalSign Extended Validation CA (Certificate Authority), which vouches for Sophos's claim to own www.sophos.com:

And GlobalSign is trusted directly by Firefox itself, with that trust propagating downwards to Sophos's HTTPS certificate:

This chain of trust stops anyone who feels like it from blindly tricking users with a certificate that says, "Hey, folks, this is sophos.com, trust us!"

Anyone can create a certificate that makes such an claim, but unless they can also persuade a trusted CA to sign their home-made certificate, you'll see a warning that something fishy is going on when the imposter tries to mislead you:

Digging further will explain the problem, namely that you have no reason to trust the certificate's claim that this really is a sophos.com server:

You'll see a similar warning if you visit the imposter site from your iPhone or iPad, too:

Again, digging further will reveal the untrusted certificate, and expose the deception, making it clear that you aren't actually dealing with sophos.com at all:

Now remember that in IOActive's report, 40% of iOS banking apps simply didn't produce any warnings of that sort when faced with a fake certificate.

You can feed those apps any certificate that claims to validate any website, and the app will blindly accept it.

So, if the banking app is misdirected to a phishing site, for example while you are using an untrusted network such as a Wi-Fi hotspot, you simply won't know!

In fact, it's not that you won't notice, but that you can't notice, and this is completely unacceptable.

The silver lining, I suppose, is that 60% of the 40 apps that IOActive tested did notice bogus HTTPS certificates.

The problem, though, is how you tell which camp your own bank's app falls into.

If you aren't sure, it's probably best just to stick to a full-size computer, and a properly patched browser, for your internet banking.

Ironically, we wrote recently about a move by Dutch banks to set some minimum security standards that they will require customers to follow if they are to qualify for refunds of money stolen through phishing, carding or other forms of online fraud.

Sounds as though there may be a spot of "Physician, heal thyself" needed here...

Learn more about HTTPS/SSL

Image of HTTP URI on giant tablet courtesy of Shutterstock.

, , , , , , ,

You might like

13 Responses to Just how secure is that mobile banking app?

  1. Anonymous · 595 days ago

    Usually if you're using an app in the first place, it's on your phone, so 2FA featuring an SMS message isn't going to help much.

    • Paul Ducklin · 595 days ago

      True. But many people have, say, an iPad and a phone, and many banks offer token-based 2FA (those keyfobs with a numeric sequence that changes every 30 seconds or so).

      In fact, anyone with a Wi-Fi only tablet will have a second device for SMS and voice. So you think the banking apps would offer 2FA in some form, albeit with a caveat for SMS or app-based 2FA that you shouldn't one device for banking and for authentication.

    • Scott · 594 days ago

      Sorry, this makes no sense to me.

      Just because it is on a phone it should be less secure? Sounds like a great way to get everybody focused on hacking bank accounts through the apps.

      • Paul Ducklin · 594 days ago

        It *shouldn't* be less secure.

        But with the banks scrambling to knit their own special-purpose mobile apps, rather than taking advantage of all the security stuff that has been progressively baked into your browser over the past two two decades...

        ...it looks as though there are some lessons in secure programming that are going to have to be learned all over again.

        • bob · 594 days ago

          This is why I'm much, much happier to use my token and a browser for my mobile banking needs than resort to rather dodgy looking apps.

          Things like security and privacy seem to go out of the window thanks to the desperate rush to have an app for absolutely everything.

  2. Sizzle · 592 days ago

    I had someone tell me the other day that they had downloaded an application that gives them what seems to be effectively a "secure" single sign on for banking, email, etc..... So, if you're logged into your phone, it's a free for all. I was 'concerned' to say the least. Supposedly it stores all your passwords and memorable information in it's database (not sure where that is stored, whether it's encrypted or not!?) and you can just access your bank account and any other account that requires authentication directly from this wonderful app.

    Just create an app and everyone will trust it with their lives, no need to phish... your net becomes full of 'catches of the day' without putting in too much effort.

    Problem is, I can't remember the name of it..... Well, apart from stupid.

  3. matt · 592 days ago

    All very interesting, but without naming the apps/banks concerned quite useless for Joe User who is otherwise not going to stop using their respective app.

  4. I agree with Matt… to be effective for us users, you need to name names. A nice chart would do the trick. Who's APP and What Security it comes with. Stats on customers claiming breaches would be nice too. Thanks for the heads up though, Paul.

  5. Mark the tech · 520 days ago

    By federal law cell phone companies are not held to the same security standards as an ISP. Until that is changed cell phones will always be less secure then a hard wired or even an encrypted wifi connection. Ultimately security is your own responsibility. Don't store any passwords or usernames in any app on your phone, tablet, or computer (MAC included). Talk to your bank about your concerns, most local banks can respond quicker to such issues than the big banks the have huge corporate channels that such requests and concerns must pass through before anyone acts on it
    I stick with local banks and CYA

  6. paulatmetacert · 409 days ago

    Are you referring to 'hybrid' apps based on HTML5 made to look like native apps, or native apps that use WebView to access critical information?

  7. Kamal · 406 days ago

    Two Factor authentication does not mitigate man in the middle attack. One can still break HTTPS and act like a sniffer to get the required contents.

    Server never trust clients, but extra care can be added to the clients to ensure that it is talking to a legitimate server. Certificate PINNING will come very handy in ensuring the channel is secure.

  8. Very helpful article and definitely one worth sharing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog