Mobile Banking Apps For iOS Woefully Insecure

msm1267 writes "Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none have provided feedback indicating the vulnerabilities were patched."

feedback

[Threni]

How long do you think it'll take them to come back with feedback? They'll need to work out whose fault it was, who they can blame, what they're going to do about it, the impact of blaming the people whose fault it wasn't, and all the time looking good to upper management. Lessons will be learnt, and this will definitely not happen again, just like always.

Seriously, guys?

[fuzzyfuzzyfungus]

So, are these banks' websites just as bad, or did they actually manage to re-implement something worse than just wrapping their site in a suitable stylesheet and calling that 'an app'? If the latter, how do they look themselves in the mirror every morning?

List of Vulnerable Banks / Bank Apps, Please?

[IonOtter]

Which banks, please? Can we please have a list of which banks fail basic programming???

Re:Relying on internal 'talent'

[fuzzyfuzzyfungus]

What surprises me is that TFA mentioned multiple cases of things like failure to validate SSL certs, use of unencrypted assets rendered by the app in ways that could be spoofed dangerously, and similar stuff that wouldn't have gotten past their web people; but apparently are A-OK because it isn't a web browser, it's an 'app' wrapped around the UIWebView class!

The other things they mention, assorted attacks or failures to mitigate against an attacker with priviledged access to the system, aren't good; but they are both less dangerous (at least to people running stock iOS) and more novel and platform-specific. The first class of bugs, though, should have been solved a decade or more ago when they started dabbling in this 'web' stuff.

Re:List of Vulnerable Banks / Bank Apps, Please?

[Anonymous Coward]

While I agree a list would be nice, please don't spread lies that this is "basic" programming. If it were, there wouldn't be so many issues.

Hardening and securing an application against sophisticated attacks (yes, I know not all of the attacks are 'sophisticated') is a non-trivial piece of work requiring expert knowledge and experience in security programming. I doubt you could do it. I doubt most people here could do it. I consider myself an expert software developer and I doubt I could do it.

More to the point, spreading the myth that this is "basic" is exactly the sort of attitude that allows these practices to continue. When Joe Graduate hears how "basic" and "easy" this securing software stuff is, from people like you that have no clue, they go off and do it themselves. It's easy, right? Rather than respecting this field for what it is - highly specialized and difficult work - the exact problem that needs solving is perpetuated by your snarky and uninformed attitude.

So for everybody's sake, just cut the condescending attitude. Thanks.

Re:You Must Be Crazy ...

[icebike]

The government already has access to my bank account. They don't need to break into my computer to get it.
.

(Not discounting they might have broken into my computer for some other reasons).