Mobile Banking Apps for iOS Vulnerable to Man in the Middle Attacks
It's mighty convenient to load up a mobile banking app with a slick interface as opposed to logging into the website via your smartphone's web browser, but in doing so, you may inadvertently be putting yourself at a greater risk of so-called mail-in-the-middle attacks, hijack attempts, and other unfriendly behavior. A recent study suggests that mobile banking apps for iOS may be less secure than you think.
A researcher at IOActive tested 40 mobile apps from 60 of the leading banks from around the world. His various tests covered transport security, compiler protection, UIWebViews, insecure data storage, logging, and binary analysis. What he found is pretty alarming.
Some 40 percent of the audited apps did not validate the authenticity of SSL certificates presented, which makes them susceptible to man-in-the-middle attacks. Almost all of them -- around 90 percent -- contained several non-SSL links throughout the application. According to IOActive, this allows an attacker to intercept the traffic and inject arbitrary JavaScript and HTLM code in an attempt to create a fake login prompt or some other similar scam.
The list of vulnerabilities goes on, such as half of the apps being found susceptible to JavaScript injections via insecure UIWebView implementations.
"Home banking apps that have been adapted for mobile devices, such as smartphones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions," the report concludes.
A researcher at IOActive tested 40 mobile apps from 60 of the leading banks from around the world. His various tests covered transport security, compiler protection, UIWebViews, insecure data storage, logging, and binary analysis. What he found is pretty alarming.
Some 40 percent of the audited apps did not validate the authenticity of SSL certificates presented, which makes them susceptible to man-in-the-middle attacks. Almost all of them -- around 90 percent -- contained several non-SSL links throughout the application. According to IOActive, this allows an attacker to intercept the traffic and inject arbitrary JavaScript and HTLM code in an attempt to create a fake login prompt or some other similar scam.
The list of vulnerabilities goes on, such as half of the apps being found susceptible to JavaScript injections via insecure UIWebView implementations.
"Home banking apps that have been adapted for mobile devices, such as smartphones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions," the report concludes.
