Mobile Banking and Mobile Payment Apps Vulnerabilities Exposed!

Extreme close-up of hand holding a modern smartphone with a generic mobile banking app running. This is a version with Dollar symbol.

Note to inspector, concerning copyright etc: The whole screen (every single graphic element, including battery indicator) is designed by myself.

We understand that the financial services industry can provide a lot of value to their customers, but in their enthusiasm to do so early, they have too often rushed to provide that value and have overlooked many of the security issues. Today, many of these financial apps are under attack.

whiteCryption’s own research as well as research performed by the security service firm IOActive, have identified multiple security holes in the vast majority of financial mobile apps currently available on the market. At whiteCryption, we are not only calling attention to this issue, we are also delivering solutions to help financial institutions address these vulnerabilities. It is important to note that most of these attacks could have been thwarted right from the start by using code obfuscation and other techniques designed to prevent reverse engineering.

Cryptanium consists of two main components. One is Cryptanium Secure Key Box, a white box library of standard cryptographic algorithms developers can use to completely hide cryptographic keys contained in financial apps. The other is Cryptanium Code Protection, a tool that can be used to “harden” software application code with the goal of frustrating reverse engineering and other techniques used by cybercriminals to gain unauthorized access to sensitive information and resources contained in applications.

Cryptanium is designed so both of these technologies can be used together – with both iOS and Android apps – to greatly increase the security of financial mobile apps.

Let’s break down some of the security vulnerabilities found in mobile financial apps a bit. It is important to note that while IOActive’s research addressed iOS mobile banking apps, whiteCryption’s research confirmed that many of the same vulnerabilities can be found in Android versions as well.

  • Apps don’t detect “jailbroken” devices. Jailbreaking is where an iOS device has been modified to give the user additional iOS access privileges beyond those set by Apple. While jailbreaking gives the user greater freedom to install apps, it also gives cybercriminals more access to sensitive information contained in mobile financial apps. Cryptanium allows financial apps to detect jailbroken devices and take appropriate action.
  • One disturbing trend is the increase of phishing apps disguised as mobile financial apps. Once a consumer has signed on to the app, many of these will present the same screen later asking them to retype their username and password “because the online banking password has expired.” This information is passed on to the criminal who can then use it to gain access to the consumer’s account. Cybercriminals often make these phishing apps by reverse engineering a legitimate financial app and adding functionality designed to steal information. Many financial apps do not encrypt graphics and other resources used in the app, giving cybercriminals easy access to these and making the act of creating phishing apps easier. Cryptanium tools encrypt these resources.
  • Apps often create log files which may contain sensitive information useful to cybercriminals. Cryptanium can be used to encrypt these as well.
  • An app is not just a piece of code running on a client device; it is part of an entire ecosystem. Many financial apps are vulnerable and allow cybercriminals to find credentials within the app, which can be used to access the financial institution’s app development infrastructure. This access can be used by a cybercriminal to distribute their malware to unsuspecting consumers. Cryptanium tools encrypt the program strings where these credentials are located.
  • Like other apps, financial apps use databases to store information. In financial apps, this can be highly sensitive information such as details of a customer’s banking account and transaction history. Some financial apps don’t encrypt that data. This gives a cybercriminal with access to the mobile device, either remotely or physically, the ability to steal this information. Cryptanium tools can be used to encrypt this data.
  • Application program strings can contain IP addresses of internal servers at financial institutions as well paths for internal file systems, both of which can be of use to cybercriminals. Some financial apps don’t encrypt this information, making it easier for cybercriminals to access it. Again, Cryptanium tools allow app developers to encrypt program strings.

whiteCryption will showcase Cryptanium Secure Key Box and Cryptanium Code Protection at the Winter Mobile Payments Conference held in Miami, Florida from January 29 to 31, and at AppsWorld held in San FranciscoAppsWorld held in San Francisco, California from February 3 to 5. If you are attending either conference, please drop by our booth and we will be happy to show you more about this innovative security solution for the financial industry.

Share