24 February 2017
visit dh.com

Bank apps riddled with security holes - researchers

13 January 2014  |  11533 views  |  0 Mobile banking on smartphone

Many of the world's biggest banks have serious security flaws in their mobile apps which could leave customers - and the banks themselves - vulnerable to attackers, research from IOActive suggests.

IOActive researcher Ariel Sanchez used iPhones and iPads to test 40 home banking apps from some of the biggest financial institutions around the world.

The testing found that 90% of the apps contain non-SSL links, enabling any attacker to intercept traffic and inject code in an attempt to create a fake login prompt or similar scam.

Meanwhile, half of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality is exposed, allowing crooks to do things like send SMS or e-mails from the victim's device.

Many apps - 40% - do not validate the authenticity of SSL certificates presented, leaving them open to man-in-the-middle attacks. Nearly three quarters also don't have multi-factor authentication, which could help to mitigate the risk of impersonation attacks.

IOActive says that it has contacted some of the banks about vulnerabilities but argues that the entire industry needs to step up its efforts to protect customers.

Among its suggestions are that all connections are performed using secure transfer protocols, SSL certificate checks are enforced, and the iOS data protection API is used to encrypt sensitive data.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Security and BYOD policy management key barriers to corporate mobile banking

Security and BYOD policy management key barriers to corporate mobile banking

05 December 2013  |  6568 views  |  0 comments | 5 tweets | 2 linkedin
Android flaw leaves bitcoin wallets open to theft

Android flaw leaves bitcoin wallets open to theft

12 August 2013  |  6100 views  |  0 comments | 5 tweets | 1 linkedin
Mobile banking now mainstream but many customers left unsatisfied

Mobile banking now mainstream but many customers left unsatisfied

02 November 2012  |  9489 views  |  1 comments | 27 tweets | 7 linkedin
US m-banking uptake stalls over security fears - Javelin

US m-banking uptake stalls over security fears - Javelin

22 July 2011  |  8691 views  |  0 comments
Banks scramble to fix mobile app security flaws

Banks scramble to fix mobile app security flaws

08 November 2010  |  13700 views  |  2 comments
Citi admits iPhone app security flaw

Citi admits iPhone app security flaw

27 July 2010  |  10546 views  |  0 comments

Related blogs

Create a blog about this story (membership required)
http://www.financialcrimerisk.fiserv.com/aml?r=finextravisit BNP paribasVisit contisgroup.com

Who is commenting?

Top topics

Most viewed Most shared
EBA to relax controversial PSD2 authentication rulesEBA to relax controversial PSD2 authentica...
12041 views comments | 51 tweets | 72 linkedin
RBS to become fintech fund and high street outlet for challenger banks under HMT remedyRBS to become fintech fund and high street...
8298 views comments | 40 tweets | 34 linkedin
High rate of defaults hit P2P lending sectorHigh rate of defaults hit P2P lending sect...
6517 views comments | 17 tweets | 13 linkedin
hands typing furiouslyDecoding the Policy Impact of India's Unio...
6339 views 0 | 13 tweets | 2 linkedin
BNY Mellon seeks blockchain experts for new emerging biz and tech teamBNY Mellon seeks blockchain experts for ne...
6240 views comments | 7 tweets | 4 linkedin

Featured job

Six Figure Base + Commission + Stock Options
London

Find your next job