Forgot your password?
typodupeerror
Security Software

Mobile Banking Apps For iOS Woefully Insecure 139

Posted by Soulskill
from the raise-your-hand-if-you're-surprised dept.
msm1267 writes "Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none have provided feedback indicating the vulnerabilities were patched."
This discussion has been archived. No new comments can be posted.

Mobile Banking Apps For iOS Woefully Insecure

Comments Filter:
  • by jasnw (1913892) on Friday January 10, 2014 @07:14PM (#45922225)
    ... to bank from your cellphone. Call me paranoid and old-fashioned (I admit to being both), but if I do on-line banking at all I do it from my own home computer on a wired LAN. OK, so I can't do all the wild-and-crazy things these mobile banking apps allow, but I also am likely to have my money in my bank in my account at the end of the day and not in a bank account in Siberia somewhere.
  • by Anonymous Coward on Friday January 10, 2014 @07:19PM (#45922259)
    I'd argue that on a non-jailbroken iOS device you might be more secure than on your home computer and wired LAN. Your home computer is far more likely to be infected with keylogging malware or similar.
  • by 0123456 (636235) on Friday January 10, 2014 @07:22PM (#45922281)

    Who's writing keylogging malware for CentOS?

  • Re:feedback (Score:2, Interesting)

    by icebike (68054) on Friday January 10, 2014 @09:57PM (#45923337)

    Most of these banks are contracting mobile development out.

    I would bet that 80% of these 60 banks are buying the same moderately customized app(s) from the same vendors.
    I would also suspect there will be similar flaw with the android versions.

    Given that most banks don't have any in-house mobile development, they are probably all descending on
    the few vendors that wrote and customized these apps, an they will all get fixed about the same time.

  • Re:feedback (Score:5, Interesting)

    by buddyglass (925859) on Friday January 10, 2014 @11:25PM (#45923863)
    I'm responsible for the Android offering of one such vendor. We currently have about 140 small banks running some version of our app. We try to follow most of the security guidelines outlined in this article, but to give our customers added assurance we pay a security company to analyze the most current version of our app (and our back-end services) every six months or so. Not the one responsible for this article, though I imagine they're a competitor of the one we use. Was a good read. I forwarded it to my boss and the coworkers responsible for our iOS app.

"Right now I feel that I've got my feet on the ground as far as my head is concerned." -- Baseball pitcher Bo Belinsky

Working...