iOS Banking Apps Riddled with Holes

January 17, 2014

A number of widely used iOS banking applications from some of the world’s most prominent banks contain bugs that expose users to data theft and account takeovers. Specifically, a knowledgeable attacker could potentially monitor user behavior with man-in-the-middle attacks, take control of user accounts via session hijacking attacks, and cause memory corruption problems that could lead to system crashes and data leaks. Altogether, these vulnerabilities could allow an attacker to steal user credentials and fraudulently access online bank accounts.


Ariel Sanchez, an Argentine researcher working with the security firm IOActive, ran a series of tests on 40 mobile banking apps from 60 top banks worldwide, including security analyses of the apps’ data transfer mechanisms, user interfaces, and storage processes as well as some more complicated stuff like compilers and binaries.

Sanchez found a series of potentially exploitable vulnerabilities.

“Someone with the right skills could use this information to detect potential bugs and after some research could develop an exploit or malware to compromise the customers of the affected banking apps,” Sanchez said. “We could say that it is the first step for a potential security threat.”

This vulnerability could be used to gain access to the development infrastructure of the bank and infect the application with malware, causing a massive infection for all of the application’s users.

IOActive says it reported the vulnerabilities to the respective banks. To date, Sanchez claims, none of the banks have reported patching any of the security issues.

Sanchez said the most worrisome problem he discovered came during static analysis of each app’s binary code was the number of hardcoded development credentials buried in the binaries. In other words, a variety of the unnamed vulnerable banking applications contain what amounts to discernible master-keys. These are intended to give developers access to the applications’ development infrastructure. Unfortunately, these hardcoded development credentials could also give attackers the same level of access.

“This vulnerability could be used to gain access to the development infrastructure of the bank and infect the application with malware, causing a massive infection for all of the application’s users,” Sanchez said.

Part of the problem is that a number of the applications are sending unencrypted links to users and or failing to properly validate SSL certificates when information is encrypted. This behavior, which Sanchez attributes to a simple oversight on whoever developed the apps, puts customers at risk to man-in-the-middle attacks where attackers could inject malicious javascript or HTML code as part of a phishing scam.

All the issues uncovered by Sanchez are compounded by the fact that 70 percent of the banks the analyzed have failed to implement two-factor authentication.

“You only need the binary of the app, and also one tool to decrypt the code and another to disassemble the code,” he said. “There is a large number of public papers where it describes how to decrypt and disassemble the code of these apps. Someone with some time and without any expertise can easily follow it.”

IOActive is being responsible, which is both good and bad (but mostly good). On the good side, they aren’t naming the affected banks or publishing specific vulnerabilities that could give attackers the information they need to target user accounts with attacks. On the bad side, we don’t know which banks and apps are vulnerable, and therefore, we don’t know who or what to trust.

Obviously, the most cautious among us should probably hold off on using our mobile banking apps until these issues are confirmed and fixed. However, most of us simply will not do that. So, in the meantime, you should definitely set up two-factor authentication if your banking provider offers it. Other than that just be careful about following links in your banking app, watch out for phishing messages, and keep an eye on your bank account.