iOS banking app security: getting better, but still bad!

iPhone. Image courtesy of ymgerman/Shutterstock.

Two years ago, Ariel Sanchez, a researcher at security assessment company IOActive, published a report on the sort of security you could expect if you were doing your internet banking on an Apple gadget.

The answer, sadly, turned out to be “Very little.”

Two years later, the answer’s a bit better, but it’s still pretty sad.

The good news: over the past two years, more banking apps that run on iOS have begun to protect data better and fend off man-in-the-middle (MiTM) attacks by properly validating SSL certificates or removing plaintext traffic.

The bad news?

Well, how about you get a cup of coffee and pull up a chair.

Plenty of apps are still storing insecure data in their file systems, and many are still susceptible to client-side attacks.

For this year’s research, Sanchez again looked at 40 mobile banking apps, mostly in the continents of Europe, America and Asia.

He didn’t detail the vulnerabilities he found or how to exploit them, but he did contact some of the affected banks to report the issues.

What he found was that few of the mobile banking apps he checked out provide authentication that goes beyond username and password.

Sanchez said that overall, security has improved since he researched banking apps in January 2014, but it hasn’t improved enough, given that many apps remain vulnerable.

Specific findings:

  • 12.5% of the apps didn’t validate the authenticity of the SSL certificates presented, making them susceptible to MiTM attacks.
  • 35% of the apps contained non-SSL links throughout the application. This allows an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create fake login prompts or similar scams.
  • 30% of the apps didn’t validate incoming data and were vulnerable to JavaScript injections via insecure UIWebView implementations. allowing client-side attacks.
  • 42.5% of the apps provided alternative authentication solutions to mitigate the risk of leaking user credentials and impersonal attacks.
  • Related to client-side information exposed via system or custom logs, 40% of the apps still leak information about user activity or client-server interactions, such as requests or responses from the server.

In 2014, Sanchez had found that 70% of the apps offered no support at all for two-factor authentication (2FA).

That number has since shrunk to 57.5%, which is a step in the right direction.

But that’s still an awful lot of banks that aren’t bothering with the extra security users get when they have to do something like punch in a one-time passcode, sent via SMS (text message), whenever they try to log in.

But the still-concerning lack of 2FA once again pales when compared to the problem of not validating SSL certificates.

Two years ago, 40% of the apps accepted any SSL certificate for secure HTTP traffic.

That’s down to 12.5%, which is another step in the right direction.

HTTPS certificates rely on a chain of trust, and validating that chain is important, given that it signals that a Certificate Authority has vouched for somebody who claims to own a site.

The chain of trust stops anyone who feels like it from blindly tricking users with a certificate that says, “Hey, this is the banking site you’re looking for, trust us!”

According to IOActive’s recent report, one in eight (12.5%) of iOS banking apps still simply don’t produce any warnings when faced with a fake certificate, because they didn’t check whether the certificate had been vetted or whether it was a home-baked piece of bogus.

You can feed those apps any certificate that claims to validate any website, and the app will blindly accept it.

So, if the banking app is misdirected to a phishing site, for example while you’re using an untrusted network such as a Wi-Fi hotspot, you simply won’t know.

We’ve seen multiple SNAFUs in financial apps related to not checking certificates.

For example, in July 2014, the popular Bitcoin wallet Coinbase was found to have a weakness in its Android app, having to do with how the app handled HTTPS certificates, that could allow an attacker to steal authentication codes and access users’ accounts.

It’s not just banking apps that get this wrong.

Other apps that fumble HTTPS have included Pinterest’s iOS app and Microsoft’s iOS Yammer client, both of which failed to give warnings about fake certificates when Dutch security company Securify checked them out in April.

Image of iPhone courtesy of ymgerman /