We’ve written before about the “security gap” between desktop and mobile apps.
He ran 40 different iOS banking apps – the apps officially endorsed and supported by more than 60 banks in 20 countries.
He wanted to know if they offered an experience as safe and secure as using your regular desktop browser.
They did not.
Most worryingly, 40% of the apps he tested didn’t do HTTPS correctly.
The benefits of HTTPS
You’ll often hear HTTPS (short for “Secure HTTP,” which relies on a protocol called TLS, short for Transport Layer Security) endorsed primarily because it uses encryption.
That provides confidentiality.
Wi-Fi-sniffing crooks sitting somewhere near you in the coffee shop, or intelligence agents plugged into a network rack in the middle of a server room at your ISP, can see that you are talking to your bank.
But they can’t tell what you’re talking about: the contents of your HTTP session are just so much shredded cabbage to their eyes.
That’s good, because it keeps things like your bank balance and your payment details secret.
However, especially when it comes to online banking, encryption isn’t the only important feature of HTTPS.
TLS also provides authentication, which means you can be sure, or sure enough, that you really have connected to your bank.
If TLS provided encryption only, you might – if you weren’t careful, and perhaps even if you were – end up conducting a secret conversation directly with a crook.
→ TLS also provides integrity, which verifies that your traffic hasn’t been altered along the way. Even if a crook doesn’t know what you’re saying, he could put a dangerous spanner in the works by changing the data, knowing that it would decrypt incorrectly and perhaps cause problems at the other end.
Criticism of HTTPS
You’ll hear people criticising TLS authentication.
That’s because it’s based on the concept of a chain of trust consisting of digital signatures, which can end up looking both complex and confusing, like this:
Here, you can see Sophos Ltd vouching for the website secure2.sophos.com; GlobalSign’s Extended Validation CA (Certificate Authority) vouching for Sophos; and GlobalSign vouching again for its own Extended Validation CA.
Part of the confusion is that you have to look somewhere else to find out who vouches for GlobalSign.
In this case (we’re using Firefox), it is Firefox that closes the chain of trust, because the browser itself contains a list of built-in trusted signers, including GlobalSign:
Tricking the user
For all the complaints about the visual complexity of the TLS chain of trust, it does make it easy for your browser to spot obvious fraud.
If I redirect you to my fake secure2.sophos.com portal, I have to do one of three things to trick you into using it in place of the real thing:
- Bribe or subvert a CA into signing me a fake certificate in Sophos’s name.
- Use a certificate I signed myself, and hope you don’t notice.
- Use plain old HTTP, and hope you don’t notice.
If I use Trick 2, most browsers will pop up a rather obvious warning, like these ones:
Critics of TLS see this as a problem, because each browser has a different way of warning you; most warnings can easily be bypassed; and even legitimate sites sometimes throw up warnings that you need to bypass, which sets a poor standard.
But at least you get a warning, so you can usually spot Trick 2 if you really want.
Mobile apps fall short
That’s where Ariel Sanchez’s report comes in: 40% of the banking apps he tried out at the end of 2013 actually supported Trick 2 on behalf of the crooks.
You could feed those apps a fake, self-signed certificate claiming to identify your website as anything you liked, and they would blindly accept it.
In other words, the crook didn’t have to hope you wouldn’t notice his HTTPS subterfuge, because you couldn’t notice it!
You’d have hoped things would get better over the past year, but some mainstream mobile apps are still showing signs of a “security gap.”
Dutch security company Securify, for example, recently tested Pinterest’s iOS app, as well as Microsoft’s Yammer client for the same platform.
Those apps didn’t give security warnings about fake certificates.
Worse still, those apps send your password to the server when you first log in, assuming that HTTPS encryption will keep it safe from prying eyes.
But if the server you are “logging into” is a fake one, and you don’t notice because there is no certificate warning, that HTTPS encryption will serve only to deliver the password securely into the hands of a crook.
What to do?
• Update Pinterest or Yammer on iOS right away if you haven’t already. This problem is fixed in the latest versions.
• Change your password on those networks, just in case. A “man-in-the-middle” attacker could already have seen your password in transit.
You might also want to consider sticking to your browser for activities like social networking, online banking and other transactions, at least until the security industry reaches a consensus that this “security gap” has closed.
Sure, mobile browsers can be hard to use.
But they are much more likely, at least in 2015, to protect you from Trick 2 above.