Intro: A recent independent study covering 100 banking apps in India and Asia-Pacific has found that most of the mobile banking apps on android OS used by them are vulnerable to security threats. Details of the study:
A very high 70% of the mobile banking apps on the android OS are vulnerable to security and data leaks, a recent study has revealed. A total of 983 security loopholes were found in these vulnerable apps, with 90% of them belonging to high and medium severity of impact bugs.
The study was conducted recently covering top 100 mobile banking apps in India and Asia Pacific region, using Appvigil, an automated Android app security scanner on cloud that helps enterprises to check if their android apps are hackable, identify the security loopholes and fix them.
One of the prime issues found by the study in nearly 80% of these apps is ‘intent spoofing’, which is an attack where a malicious application induces undesired behaviour by forging an intent. An example of this could be launching the webview of an application by a malicious app, injecting javascript to change the content of the view (if javascript has not been set to false in the webview) and thereby fooling the users to submit some secure information to their hacker server. “Also, majority of the mobile banking apps failed and many did not employ even the basic security checks expected. The communication between the apps & their servers is still in the unencrypted format i.e. in HTTP instead of HTTPS,” says the study.
“The results are worrisome,” says Toshendra Sharma, founder and CEO, Wegilant, an enterprise, incubated in Society for Innovation and Entrepreneurship (SINE), IIT Bombay, in 2014, which carried out the study. “The situation requires an immediate action towards fixing these issues. It has to be ensured that the mobile net banking apps on android should be hardened before deployment,” he adds.
With technology advancing to new avenues each day, the explosive growth in mobile-app banking is giving consumers a critical new option in managing their money, a trend that is growing fast and is here to stay, says Sharma. Any attempt to design an automated solution to compute, maintain and transfer large volumes of secure data should focus on understanding existing and ahead of time loopholes that can plague the system. Any lack of participation from the people responsible for design, implementation, or operation and management could be exploited to violate the system’s security policy, he warns.
Sharma is of the view that organizations today are focusing more on state of the art features, responsive and performance optimization issues without paying much heed to security. “According to Gartner, 25% of global banks will have their banking apps available to its customers by 2016 and serving 1.75 billion users worldwide by 2019. With prime focus on product interface and features, BFSI institutions put security on a back seat.In most of the cases people react to security issues only when they face some discrepancies via a malicious threat agent,” says he.
Sharma elaborates on the findings and the critical nature of the problem:
Can you elaborate on the finding?
Though today’s mobile banking customers have started trusting the traditional banks with their data, security is still a major concern for them. During the study, we found multiple security loopholes, even in the premium apps. As much as 70% of the mobile apps in the banking space have security vulnerabilities and 53% of these apps have multiple high severity vulnerabilities. The most surprising fact is that these premium banks are not aware about the vulnerabilities. The consumer trusts the bank with his/her finances and personal data. It is the bank that has to ensure a secured mobile app experience for users.
To what extent are banks vulnerable to these threats?
The extent of the consequences of these threats can be very damaging for the banks as well as for the consumers. The presence of loopholes in the mobile app makes the app prone to malicious hacking to extract user credentials, bank database or even manipulate financial transactions. Two common attacks are: Man-in-the-middle (MitM) (A hacker places himself ‘between’ the computers being attacked and the router on the network so that traffic to and from the computers under attack is sent to the hacker’s machine first before it gets forwarded back to the router) and JavaScript Injection (A nifty technique that allows you to alter a site’s content. For instance, About Us page of the website can be converted into login page to steal user data).
What can be the solution?
There are two major areas that are highly susceptible to mobile security risks: mobile application code on the client side and network traffic with improperly implemented authentication in its server. The best way to strengthen these areas would be by integrating mobile security solutions in SDLC. Security analysis and enhancement should be carried out at every stage of the product – development to deployment. Companies have to realize that security is no more an option but a hygiene that is necessary.
At Wegilant, we are working on developing cloud based security solutions in new spheres, apart from the existing ones that we have already explored. We are analyzing industries apart from banking to report safety standards of other domains using mobile apps. Since, there is a lack of awareness, we feel that reports and studies will definitely shake the industries that use mobile app prominently to wake up and pay heed to this issue. To supplement this initiative, we are launching mobile security training for mobile developers and industry. Since mobile security is an expensive domain and given mobile app start-up boom, we are providing free mobile app scanning solutions to start-ups.
Do you think to a great extent the creation of apps in general is a disorganized effort with least botheration for security aspects?
Yes, the creation of apps in general is a disorganized effort. There are few significant reasons for this. Firstly, most of the development is outsourced. Outsourcing indirectly adds the commercial angle to the product, pushing security to low priority level. It also adds negligible to no liability on the developer for security breach. Secondly, the numerous mobile startups in the market lack the budget to explore the security aspect. Thirdly, most enterprises integrate security solutions at the post development phase. Mobile app scanner and solutions should be along side every stage of product life cycle.
Do you think such apps created in developed countries like the US are better in terms of security?
Well, it is not the country that determines safety standards of a product. But yes, we do see mature markets to be more concerned about the security of the users. There are several key factors that affect the security levels of a mobile app such as skills of the app developer, product company’s security aptitude and appetite, innovation in the black hat hackers market etc.
You have mentioned in the report that unsynchronized clocks can affect automated tasks. Can you explain the security breaches that can occur as a result of this?
This could be explained with some examples:
- In many authentication systems, like Kreberos, timestamp is used to protect against the replay attack. For example a client sends an authentication request, containing encrypted timestamp, to a server. The server decrypts this timestamp and checks if the time is in a certain range. If the difference is too much, then the request is rejected.
- Secondly, while establishing an SSL connection, a certificate is exchanged to establish the authenticity of a server to the client. These certificates have a validity time range. Each certificate has a notBefore and a notAfter fields; the current time must fall between these two dates. If the clocks are not synchronized then an invalid certificate might be accepted by the client.
In a typical case where there is a breach, what can this lead to in terms of losses on the part of the user and on the part of the bank?
The loss is very severe for both the user and the bank as mentioned earlier. One can see cases from user credentials being compromised to manipulation of transactions causing financial losses for the user. The bank can even end up losing its entire database and client personal information. Apart from this, the biggest damage is the lost trust of the consumer in the bank. Technical aspects can be fixed and made secure but lost credibility is hard to regain. Potential threats are constantly evolving. Its important to have a closer eye on the mobile application security and provide a secure banking environment.
Finally, can you cite some likely breaches that can happen in view of the vulnerabilities in the system?
The popular types of security breaches are:
(i) Compromising data at rest: Retrieving data that is stored on the device. This data can be personal contacts, files created, email sent etc.
(ii) Data leakage: Improper implementation of app code can leak sensitive information like credit card details in log and cache from where the data can be stolen
(iii) When permissions are exploited: Required app permissions combined with not so security conscious user base leads to misuse of the permissions which result in premier SMS and random payments
(iv) Secret channel: Malicious apps spying on normal apps to communicate the normal apps sensitive data to the malicious app command and control centre
(v)WhenClickJacking comes to the mobile world : Traditional Social engineering combined with clickjacking to impersonate an APP UI
(vi) Public wifi apps: Public, in particular open, wifi access points will get into more action to sniff your sensitive data over the network.
(viii) Hardcoded sensitive information: Reverse engineering an application exposes sensitive code and sometime key server credentials are exposed.
(viiii) SQL injection: SQL is still the biggest breach when protecting the information is considered the most critical.
(ix) Mobile bots : Mobile bots will emerge as one of the biggest sources for the next generation DDOS. After all, the mobile devices are 2 billion in number. For instance, using Appvigil, we scanned the mobile banking app of one of the prominent banks of India and found that the application is susceptible to JavaScript Injection vulnerability also known as cross-scripting or XSS vulnerability. The vulnerability could become dangerous for the application’s users and if a fully permitted malware performs the same attack, it could steal users’ net banking usernames and passwords.