Are you performing all your day’s banking and credit card transactions using mobile banking apps? Your financial security is at stake, warns a security researcher at IOActive. Ariel Sanchez, the security researcher at this security assessment company, has reveled in his recent report that mobile banking apps are not so secure or “very little” in that case. According to his reports, mobile apps are wrongly configured and designed that they those flaws have weakened the security.
Sanchez has explained the results of offline security tests he had conducted on 40 iOS-based mobile banking apps used for performing transactions of 60 banks across 20 countries. Sanchez has performed following security tests on those mobile banking apps –
- Transport Security which consists of Plaintext Traffic, Improper session handling and Properly validate SSL certificates
- Compiler Protection which consists of Anti-jailbreak protection, Compiled with PIE, Compiled with stack cookies, and Automatic Reference Counting
- UIWebViews which consists of Data validation (input, output) and Analyze UIWebView implementations
- Insecure data storage which consists of SQLlite database, File caching, Check property list files and Check log files
- Logging which consists of Custom logs, NSLog statements and Crash reports files
- Binary analysis which consists of Disassemble the application, Detect anti-tampering protections, Detect obfuscation of the assembly code protections, Detect anti-debugging protections, Client-side injection, Protocol handlers and Third-party libraries.
His research process took 40 hours (non-consecutive) and all these tests were performed were conducted on the client side, not the server side. He has reported his findings and security vulnerabilities in to some banks. He has shown that 70% of mobile banking apps did not support two-factor verification process and only 40% of those apps tested to have found to accept SSL certificate for secure HTTP traffic.
80% mobile banking apps are not secure
Earlier another study conducted on mobile banking apps had revealed that eight out of 10 of those apps are not secure. This Praetorian research has tested 275 Android and iOS mobile banking apps; when they selected more than 50 major financial organization, 50 major banks and 50 US based credit unions. Shockingly, these banking, financial and credit unions include leading institutions such as Bank of America, Wells Fargo, Citigroup, Morgan Stanley, Capital One Financial, Suntrust Banks and Goldman Sachs. These financial institutions have not developed their mobile banking apps by following best security practices.
So, how can you protect your banking transactions via mobile apps against stealing? Share your opinion below.