The banking industry is looking with an increasing interest in mobile platform, financial institutes are offering a growing number of services accessible through mobile devices, but what about security?
The security of mobile banking apps has been improved over the last years, but there is still a great scope for improvement.
Ariel Sanchez, a security consultant for IOActive, two years ago conducted a research on security implemented by iOS banking apps and now has decided to repeat the same tests. Sanchez evaluated the security level for 40 iOS banking apps and discovered a number of security weaknesses or vulnerabilities. The expert limited his analysis on client-side, avoiding to investigate the security offered on server-side.
For obvious reason, Sanchez hasn’t revealed the name of the apps or the banks who developed the mobile apps it tested.
What is changed?
Revisiting its research, Sanchez discovered that many of the problems emerged two years ago still remain despite the overall level of security is increased. Sanchez executed the following tests on each app:
He discovered that five apps (12,5 per cent) failed to validate the authenticity of the SSL certificates presented, a circumstance that opens mobile users to Man-in-The-Middle (MiTM) attacks.
40% of the apps leak information about user activity or client-server interactions.
The expert also analyzed binary and file system revealing that 15 per cent of the iOS banking apps store unencrypted data and sensitive information. In some cases customers’ banking accounts and transaction history are archived in sqlite databases on the device or in plain text files.
In the following graphs are reported the results of the test conducted in 2013 and 2015.
Most of the apps have improved traffic protection and are properly validating SSL certificates, drastically reducing the exposure to MiTM attacks. It is interesting to note that there are still a high number of apps storing insecure data in their file system.
Sanchez concluded that despite the security implemented by the banking apps is increased it is still not enough because many apps remain vulnerable.
“While overall security has increased over the two-year period, it is not enough, and many apps remain vulnerable.” he added.
Enjoy the “(In)secure iOS Mobile Banking Apps – 2015 Edition” report.
(Security Affairs – banking apps, security)