Forgot your password?
typodupeerror
Security Software

Mobile Banking Apps For iOS Woefully Insecure 139

Posted by Soulskill
from the raise-your-hand-if-you're-surprised dept.
msm1267 writes "Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none have provided feedback indicating the vulnerabilities were patched."
This discussion has been archived. No new comments can be posted.

Mobile Banking Apps For iOS Woefully Insecure

Comments Filter:
  • feedback (Score:5, Insightful)

    by Threni (635302) on Friday January 10, 2014 @07:09PM (#45922185)

    How long do you think it'll take them to come back with feedback? They'll need to work out whose fault it was, who they can blame, what they're going to do about it, the impact of blaming the people whose fault it wasn't, and all the time looking good to upper management. Lessons will be learnt, and this will definitely not happen again, just like always.

  • Seriously, guys? (Score:4, Insightful)

    by fuzzyfuzzyfungus (1223518) on Friday January 10, 2014 @07:21PM (#45922267) Journal
    So, are these banks' websites just as bad, or did they actually manage to re-implement something worse than just wrapping their site in a suitable stylesheet and calling that 'an app'? If the latter, how do they look themselves in the mirror every morning?
  • by IonOtter (629215) on Friday January 10, 2014 @07:34PM (#45922377) Homepage

    Which banks, please? Can we please have a list of which banks fail basic programming???

  • by fuzzyfuzzyfungus (1223518) on Friday January 10, 2014 @07:40PM (#45922409) Journal
    What surprises me is that TFA mentioned multiple cases of things like failure to validate SSL certs, use of unencrypted assets rendered by the app in ways that could be spoofed dangerously, and similar stuff that wouldn't have gotten past their web people; but apparently are A-OK because it isn't a web browser, it's an 'app' wrapped around the UIWebView class!

    The other things they mention, assorted attacks or failures to mitigate against an attacker with priviledged access to the system, aren't good; but they are both less dangerous (at least to people running stock iOS) and more novel and platform-specific. The first class of bugs, though, should have been solved a decade or more ago when they started dabbling in this 'web' stuff.
  • by Anonymous Coward on Friday January 10, 2014 @07:56PM (#45922529)

    While I agree a list would be nice, please don't spread lies that this is "basic" programming. If it were, there wouldn't be so many issues.

    Hardening and securing an application against sophisticated attacks (yes, I know not all of the attacks are 'sophisticated') is a non-trivial piece of work requiring expert knowledge and experience in security programming. I doubt you could do it. I doubt most people here could do it. I consider myself an expert software developer and I doubt I could do it.

    More to the point, spreading the myth that this is "basic" is exactly the sort of attitude that allows these practices to continue. When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves. It's easy, right? Rather than respecting this field for what it is - highly specialized and difficult work - the exact problem that needs solving is perpetuated by your snarky and uninformed attitude.

    So for everybody's sake, just cut the condescending attitude. Thanks.

  • by icebike (68054) on Friday January 10, 2014 @10:02PM (#45923363)

    The government already has access to my bank account. They don't need to break into my computer to get it.
    .

    (Not discounting they might have broken into my computer for some other reasons).

The one day you'd sell your soul for something, souls are a glut.

Working...