back to article iOS banking apps security still not good enough, says researcher

The security of mobile banking apps has improved over the last two years but there’s still scope for improvement. Ariel Sanchez, security consultant for IOActive, has revisited research into the topic first conducted two years ago to see if there’s been any improvement. Although security has increased over the two years, many …

  1. Bob Dole (tm)
    FAIL

    Name and shame

    I really think these people need to get over the idea of not naming companies that are absolutely failing.

    "Hey, there's some number of mobile banking apps that are horrible! However, we're not going to tell you which ones; good luck!"

    If you really want this fixed, then name them. I guarantee you if the First National Bank of XYZ's name shows up on a list of Insecure Apps then they will move heaven and earth to fix it. And, please, don't tell me that naming them will cause hackers to jump all over it. Guess what - the hackers already know which ones are bad. The only people who don't are the customers.

    Basically - without that information, everything else in this article is meaningless.

    1. caffeine addict Silver badge

      Re: Name and shame

      If you shame the list of banks, they'll just say "we take security seriously and we'll be looking into this immediately".

      What you need to do is tell the banks, then publicly announce the vuln and say you'll make the list of banks public in 30 days. Those that actually give a shit will fix it and get out ahead of the story. Those that don't give a damn about security will get doubly shamed when the names go public and they're seen to not take it seriously.

      1. Anonymous Coward
        Anonymous Coward

        Re: NWhat you need to do

        is tell the banks, then publicly announce the vuln and say you'll make the list of banks public in 30 days.

        In the UK that would get you a spell in jail .....

        1. DougS Silver badge

          Re: NWhat you need to do

          For a "threat" against the bank or for revealing the vulnerability? If the former, the law just encourages you to skip the grace period and make the problems public immediately.

          Though to be honest, flaws that store information unencrypted in the filesystem don't really worry me that much. If it is your password being stored, they have to get hold of your unlocked phone to have a chance of accessing that, but if they have possession of your unlocked phone they can just start the app which presumably is using that password for autologin purposes so you're screwed either way! If it is your balance etc. being stored unencrypted, there are plenty of other ways to get that already, like stealing your mail, hacking into your email, fishing a receipt out of the trash after you've visited an ATM, etc.

        2. Vic

          Re: NWhat you need to do

          In the UK that would get you a spell in jail

          On what grounds?

          Vic.

          1. caffeine addict Silver badge

            Re: NWhat you need to do

            Only thing I can think AC meant is blackmail, but you would need to have some money/services transfer for that.

      2. Michael Thibault

        Re: Name and shame

        I get the private heads-up, then a public announcement of the general state of the world, and, eventual making the list of apps considered public.

        Alternatively, skip the last part and do a follow-up, unannounced and naming names, some time after the public annnouncement of the general lay of things. No possibility of interpreting that as a shake-down, or as a threat.

        However, the convention of 30 days is a courtesy and a mis-guided convenience to businesses (banks, in this case)--particularly if it becomes more and more entrenched, as that will give businesses ample opportunity to scramble to protect what really matters: their public image. In the publishing regime under consideration, there isn't any in-built incentive for businesses to do more than foist the security assessment on someone else (researchers, for example), and the costs onto users/clients. That incentive is necessary if there's any expectation that businesses will become otherwise than simply reactive to security issues brought to their attention from without. The unannounced that-was-then-and-this-is-now assessment might serve that purpose, if it--instead--becomes the convention.

  2. Zog_but_not_the_first Silver badge
    Stop

    Banking on a phone?

    Nah!

    1. Nate Amsden

      Re: Banking on a phone?

      Damn right. No banking or health related personal data touches my phone or tablets.

      Only purchases I've ever made on mobile are from the google play store (and HP store back when I used webos). Even then only used BofA shopsafe credit cards. I'm more than happy using my laptop for such things instead. I'm not in a hurry.

      Almost all "apps" want too many permissions so I don't even install them on my phone.

      1. BebopWeBop Silver badge
        Facepalm

        Re: Banking on a phone?

        Absolutely. I have plenty of ways of losing my money through laziness, incompetence or naivite. Why add to the mix and let someone else help, especially as I suspect the banks will fight tooth and nail to deny me any redress for their errors.

    2. jonathanb Silver badge

      Re: Banking on a phone?

      How does it compare in terms of security with banking on a website, with all the security problems web browsers and the operating system thy run on have?

      1. Adrian Harvey
        Go

        Re: Banking on a phone?

        It varies bank by bank of course, but for my bank (ANZ) it's more secure on mobile. That's because when you initially set it up it creates secure device credentials (which you can check from the app and invalidate lost/sold/stolen devices). It is then not sending my password over the net (encrypted or not passwords shouldn't be sent - the web is leading us astray here)

  3. Anonymous Coward
    Anonymous Coward

    the title is misleading

    It make it sound like iOS is the issue. It is just plain bad programming/architecture on the banks side

  4. Anonymous Coward
    Anonymous Coward

    The title is misleading

    It make it sound like iOS is the issue. Not verifing the cert is plain programming issue on the banks. I bet if the researcher bother to look into the android version it contains the same issue.

    1. Anonymous Coward
      Anonymous Coward

      Re: The title is misleading

      Not really, despite what you have been lead to believe by untrustworthy secuirty companies, the inner workings of android is more secure than iOS. An area in particular is sandboxing and inter-app communication. There is only one method on Android (intents) and there is no way to disguise this. On iOS its far easier to covertly access other apps data. It's was happening for years that many apps were upyo no good on iOS stealing data and uploading it without consent. Some of the holes were plugged with blu tak and sellotape, but many still remain. IOS was never designed with security in mind, it was tacked on afterwards.

      http://venturebeat.com/2012/02/14/iphone-address-book/

      1. Naselus

        Re: The title is misleading

        Regardless, Apple can't really be blamed for this one - and it's not exactly out of character for banks to be utterly disinterested in mobile banking security, is it? They managed to shift all the risks onto the user and if it's hacked then they just claim that the user must have been careless with their passwords etc. Until the banks are made more accountable for the loss (like they are with in-person fraud) they have no real incentive to tighten up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019