Apps Lack of Security

Friday, January 10, 2014 @ 03:01 PM gHale

As more companies focus on mobility, it is no real surprise the lack of security on devices continues to be low hanging fruit for attackers.

Even in banking, where security experts always say it is among the most secured industries.

But when it comes of mobile apps, is it?

Mobile Alert: Bug in Smartphone
Pulling RSA Keys by Listening
Air Gaps Not Even Secure
Resilience Metrics can Beat Threats

IOActive researcher Ariel Sanchez analyzed 40 mobile banking applications for iOS devices to see if they’re secure or not. The apps belong to the 60 top banks across the globe.

Sanchez found 40 percent of the apps tested are vulnerable to Man-in-the-Middle (MitM) attacks because they don’t validate the authenticity of SSL certificates.

On top of that, 20 percent of them have the Position Independent Executable (PIE) and Stack Smashing Protection disabled, which makes them susceptible to memory corruption attacks, Sanchez said in a blog post.

Ninety percent of the apps don’t have jailbreak detection. The same percentage contain a number of non-SSL links when surfing the app, allowing cybercriminals to intercept traffic and inject arbitrary code for phishing purposes.

Attackers can also abuse insecure UIWebView implementations in over half of the tested apps to inject JavaScript.

When it comes to two-factor authentication, which is a great mechanism to protect against impersonation attacks, the researcher found 70 percent of the iOS banking apps don’t have it.

Meanwhile, 40 percent of the applications expose sensitive information through log files, such as crash reports. The data leaked by the log files can end up used to develop Zero Day exploits.

Thirty percent of the tested programs contain hardcoded credentials in the code.

“By using hardcoded credentials, an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users,” Sanchez said.

One more point of interest for attackers is 20 percent of app activation codes, the ones sent during the initial setup process, send the information in plaintext (HTTP).

To add more salt to the security wounds, the file systems of some programs store sensitive information, including bank account details and transaction history, in unencrypted databases, Sanchez said.

From a defensive perspective, the following recommendations could mitigate the most common flaws:
• Ensure that all connections end up performed using secure transfer protocols
• Enforce SSL certificate checks by the client application
• Protect sensitive data stored on the client-side by encrypting it using the iOS data protection API
• Improve additional checks to detect jailbroken devices
• Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary
• Remove all debugging statements and symbols
• Remove all development information from the production application

Leave a Reply

You must be logged in to post a comment.