Personal Banking Apps study has been out, a security researcher spent about 40 hours testing iPhone and iPad banking applications from the top 60 most influential banks in the world and his findings were totally shocking.
40 of those 60 applications were found to have major mobile security vulnerabilities, which is not something you’d expect to find in an application which authenticate you to your bank.
The conducted tests were split amongst six separate areas: transport security, compiler protection, UIWebViews, data storage, logs and binary analysis. Serious weaknesses were found in all of these areas.
40% of the applications can’t validate to the authenticity of SSL certificates, meaning that they’re vulnerable to monkey/man in the middle (MiTM) attacks
A full 90% of the apps contain non-SSL links, potentially allowing “an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”
50% “are vulnerable to JavaScript injections via insecure UIWebView implementations… allowing actions such as sending SMS or emails from the victim’s device.”
70% have no facility for any “alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks.”
The incredibly troubling study brings to light a very serious problem for the banking industry — and for consumers, of course — that will only become more severe over time as mobile banking app usage grows. Sanchez notes in his report that the various security vulnerabilities he identified could allow malicious hackers to intercept sensitive data, install malware or even seize control of a victim’s device.
When Banks are using their mobile applications as a competitive advantage, you may think that they’d thoroughly test these applications for any existing security flaws with vulnerability assessment or mobile Penetration test, to reduce the vulnerabilities from two third to an acceptable level. Major security flaws shows that applications have not been tested for security vulnerabilities at every phase of the development. Above all it shows Banks have a weak Information Security Management System (ISMS) in place. This can be especially a worrisome trend for smaller Banks due to lack of existing information security resources and expertise.
Mobile Information Security and Privacy Books
Mobile Malware Protection from from phishing sites and malicious URLs