Banking Apps Leaking Information

ioactive.pngThere’s a new informative article at IOActive on how personal banking apps leak information. While the article concentrates on banking apps and iOS, the information is just as applicable to other types of apps and other mobile operating systems such as Android.

Ariel Sanchez of IOActive Labs took a look at 40 banking apps from the top banks in the world. Tests included SSL (session handling, valid certs), compiler protection, use of webviews, use of SQLite as well as anti-tampering analysis.

ioactivebankingvulnerabilities.png

The analysis is very alarming. Put simply, banking apps, that should be more secure than most other apps, can’t be trusted.

However, security isn’t just for banking apps. Snapchat is a very recent example of an app exposing 4.6 million users’ usernames and phone numbers. Poor security can damage your reputation. So what can you do? IOActive gives some pointers…

  • Ensure that all connections are performed using secure transfer protocols
  • Enforce SSL certificate checks by the client application
  • Protect sensitive data stored on the client-side by encrypting it using the iOS data protection API
  • Improve additional checks to detect jailbroken devices
  • Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary
  • Remove all debugging statements and symbols
  • Remove all development information from the production application
I have covered many of these areas in previous posts…