Six security vulnerabilities found in many banking apps

Of all the apps in your life, the one you hope is most secure is your banking app. Unfortunately, those responsible for many banking apps are making some major security missteps, leaving the apps – and their users – vulnerable. Research done by Ariel Sanchez of IOActive found that 40 apps from 60 major banks have at least one security vulnerability.

He didn’t name names, but Ariel tested iOS banking apps from Europe, Asia, the Middle East, Australia, India, South America and North America.

Many banks failed when it came to proper SSL encryption, authentication and secure feature implementation.

– 90% of tested apps initiated connections without proper SSL encryption

– 70% didn’t have alternative authentication solutions

– 50% used an iOS featured called UIWebView (designed to display web content in native apps) insecurely

– 40% didn’t validated the authenticity of digital certifications received from a server

-20% were complied without using features designed to limit the risk of memory corruption attacks

Many apps exposed sensitive information through iOS system logs and crash logs

These vulnerabilities open the door for a slew of potential issues. Authentication issues leave the door open to man-in-the-middle attacks and several of these vulnerabilities mean that JavaScript injection is a threat. In the end, hackers could get their hands on users’ personal information by redirecting them to fake pages or gathering information from logs.

Luckily, there are steps bank app developers and testers can take to prevent security vulnerabilities. From PCWorld:

Based on his findings, Sanchez made some recommendations for developers of mobile banking apps, such as ensuring all connections are made using secure transfer protocols; enforcing SSL certificate validation; encrypting sensitive data stored by the applications by using the iOS data protection API; improving jailbreaking detection; obfuscating the assembly code and using antidebugging techniques to slow reverse-engineering attempts; removing debugging statements and information and removing all development information from the final products.

If you’re interested in learning more, many of these suggestions are covered in our Mobile App Security Testing whitepaper.

Source : developer-tech.com