A new study has found critical vulnerabilities in nine major banking apps including the ones from NatWest, HSBC, and the Bank of American Health.
Together, these apps boast a user base of 10 million people. Had the flaw in the apps been exploited, the login details of all the users could have been compromised.
To conduct their study, researchers at the University of Birmingham created a unique tool for testing the apps. They ran the tool on 400 security-sensitive apps. The paper was presented Wednesday at the Annual Computer Security Applications Conference in Orlando.
Most apps that require higher security use a TLS connection. It helps establish an encrypted link between your phone and the bank’s server. This is to make sure that while you are doing security-sensitive actions like banking on your phone, your communication indeed is with the bank and not with a malicious server.
This security precaution process happens in two steps.
First, the bank or other institutions that issued the app would send a cryptographically signed certificate to a certificate authority. The latter is a trusted third party who is enlisted in this process.
After the certificate is verified for its legitimacy, the next step is to verify the server’s hostname. Simply put, this involves verifying the name of the server that you are attempting to establish a connection with.
But the new study has found that some of the apps they looked into, though they checked if the certificate was properly signed or not, nonetheless weren’t doing a proper job about verifying the hostname accurately. This meant that a valid certification could be issued for just about any server.
This is a critical vulnerability since a malicious agent could fake a certificate and issue what’s called a man-in-the-middle attack.
In this type of attacks, it’s the attacker who hosts the connection between a user and the server. As you might have guessed, this would give the attacker access to every bit of information that’s sent over the connection.
However, for the time being, users are safe from the above-issue since the banks that issued the apps with the flaw have corrected the vulnerability.
But this study, which was done in the UK begs comparison with a similar study done to gauge the security vulnerabilities of banking institutions in N.America.
The latter study was performed by Accenture and the mobile app security firm NowSecure. A detailed report on the same was posted on the internet security news website, helpnetsecurity.com on April 21.
In the study, the Android and iOS apps of 15 different banks were scrutinized. The study revealed that all the apps that were tested showed at least one security flaw.
The security issues that the study uncovered included the following: Writable executables- this means, someone could run a code remotely that could affect how the app functions; World-writable files — meaning other apps could gain write access to the files in the banking app; relatively easy access to the app’s source code, making it possible for someone to alter the code and “Secure” flag that was inappropriate set- done so as to prevent cookies from being sent over insecure communication channels.
The good news is that banking apps do generally come out with updates fast once vulnerabilities are found. The bad news is that no one could be sure what new vulnerabilities could be lurking in your baking app, until a study or rigorous testing points that out.
This makes one question the entire ethos of the testing that’s done before these apps are launched. Pray, what goes on there?