iOS Mobile Banking Apps, what is changed from 2013 tests?

Pierluigi Paganini December 21, 2015

The security expert Ariel Sanchez presented the results of the test conducted on 40 iOS banking apps, comparing them to the ones obtained 2 years ago.

The banking industry is looking with an increasing interest in mobile platform, financial institutes are offering a growing number of services accessible through mobile devices, but what about security?

The security of mobile banking apps has been improved over the last years, but there is still a great scope for improvement.

Ariel Sanchez, a security consultant for IOActive, two years ago conducted a research on security implemented by iOS banking apps and now has decided to repeat the same tests. Sanchez evaluated the security level for 40 iOS banking apps and discovered a number of security weaknesses or vulnerabilities. The expert limited his analysis on client-side, avoiding to investigate the security offered on server-side.

For obvious reason, Sanchez hasn’t revealed the name of the apps or the banks who developed the mobile apps it tested.

What is changed?

Revisiting its research, Sanchez discovered that many of the problems emerged two years ago still remain despite the overall level of security is increased. Sanchez executed the following tests on each app:

  1. Transport Security
    1. Plaintext traffic
    2. Improper session handling
    3. Properly validate SSL certificates
  2. Compiler Protection
    1. Anti-jailbreak protection
    2. Compiled with PIE
    3. Compiled with stack cookies
    4. Automatic reference counting
  3. UIWebViews
    1. Data validation (input, output)
    2. UIWebView implementations
  4. Insecure Data Storage
    1. SQLlite database
    2. File caching
    3. Property list files
    4. Log files
  5. Logging
    1. Custom logs
    2. NSLog statements
    3. Crash reports files
  6. Binary Analysis
    1. Disassemble the application
    2. Detect obfuscation of the assembly code protections
    3. Detect anti-tampering protections
    4. Detect anti-debugging protections
    5. Protocol handlers
    6. Client-side injection
    7. Third-party libraries

He discovered that five apps (12,5 per cent) failed to validate the authenticity of the SSL certificates presented, a circumstance that opens mobile users to Man-in-The-Middle (MiTM) attacks.

35 per cent of the mobile apps contained non-SSL links throughout the application, traffic to these links could be easily intercepted by attackers that could also inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt.

30 per cent of the iOS apps failed to validate incoming data, a circumstance that allows an attacker to potentially inject JavaScript. The expert noticed that this percentage is reduced respect the previous tests conducted in 2013.

40% of the apps leak information about user activity or client-server interactions.

“35% of the apps contained non-SSL links throughout the application. This allows an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompts or similar scams. ” states the post published by Sanchez.

The expert also analyzed binary and file system revealing that 15 per cent of the iOS banking apps store unencrypted data and sensitive information. In some cases customers’ banking accounts and transaction history are archived in sqlite databases on the device or in plain text files.

In the following graphs are reported the results of the test conducted in 2013 and 2015.

iOS banking apps security test 2013 vs 2015

iOS banking apps security test 2013 vs 2015 2

Most of the apps have improved traffic protection and are properly validating SSL certificates, drastically reducing the exposure to MiTM attacks. It is interesting to note that there are still a high number of apps storing insecure data in their file system.

Sanchez concluded that despite the security implemented by the banking apps is increased it is still not enough because many apps remain vulnerable.

“While overall security has increased over the two-year period, it is not enough, and many apps remain vulnerable.” he added.

Enjoy the “(In)secure iOS Mobile Banking Apps – 2015 Edition” report.

Pierluigi Paganini

(Security Affairs – banking apps, security)



you might also like

leave a comment