The growth of mobile banking apps
According to a recent report by the British Bankers Association, mobile apps are now the UK’s number one way to carry out banking transactions. Another study from across the pond puts the usage of mobile banking apps by Millenials at 67%. These apps have been around for a number of years, and allow you to check your balance, transfer money and pay bills with ease, but how secure is your mobile banking app?
TouchSoft spoke with an independent mobile security researcher regarding the current iOS and Android apps offered by top UK banks to their customers. In total, the researcher, who has requested to remain anonymous, studied the network security of 20 banking apps. These included both consumer and business banking and credit card apps.
Although there are many aspects to good mobile security, the study focussed on one in particular – the ‘Man In The Middle’, or MITM attack. This is a type of attack whereby a hacker secretly intercepts communications between the mobile app and the bank’s server. This allows the attacker to potentially steal confidential information such as usernames, passwords, session cookies and other account information.
What is a ‘Man In The Middle’ attack?
Almost any type of internet connection is vulnerable to MITM attacks, however the most common method is via WiFi. While this could occur in your home or office, it is much more likely to happen on a public WiFi network, such as a coffee shop or hotel. Typically the attacker will create a fake WiFi access point, often with a name very similar to the legitimate SSID for that location, and then await unsuspecting users.
The study found that 75% of the apps tested did have a very high or excellent rating with regard to preventing the attack. These apps detected that the MITM was present and refused to allow the user to enter any credentials. A further 15% of the apps attained a high rating, where no user information was visible to the researcher. The next 10% of the apps tested were deemed to be medium risk, where part of the information sent was visible, either a username or password, but not both. Only one of the apps allowed both the user id and password to be revealed to the researcher, and as such was considered high risk.
While these results show that the vast majority of mobile banking apps pass the test, there are a few that do not perform so well. However, given that this vulnerability has been known for several years, we believe that all banking app developers (and all other app developers for that matter), should be taking the steps necessary to ensure this type of attack cannot occur.
How can users be protected?
So what can developers do to protect their users? The best way to prevent this type of attack is via certificate pinning. This works by ensuring the app fully validates the authenticity of the SSL certificate being presented by the server before transmitting any data across the network. OWASP has a good guide on how to implement this policy. This can be taken further with other additional features, such as the use of two factor authentication.
As a user, it is best to avoid using any type of app that could potentially reveal sensitive information while connected to public WiFi. We recommend that you only connect to these services over cellular connection or using your own private home WiFi where possible.
We would like to thank our researcher friend for sharing this information with us, and will be catching up with him again soon for further insight into the security of other app sectors, including Health, Shopping and Gaming. The researcher confirmed that all tests were carried out on a private network, using his own mobile devices, and no network traffic was directed at any financial institution servers. In the cases where a medium or high risk was determined, the institutions involved have been informed of the issue with their app.
How can we help?
TouchSoft have in depth experience of mobile application security, including certificate pinning, obfuscation techniques, tamper resistance and penetration testing. We can use our extensive knowledge and understanding of security threats in the mobile environment to help design and develop your mobile projects in a safe and secure manner. Get in touch today for further information.