Banking apps not safe from OS vulnerabilities

Banking apps not safe from OS vulnerabilities

Summary: Mobile banking apps rely on tools such as HTTPS and sandboxing to keep safe, but operating system vulnerabilities may render such measures useless anyway.

SHARE:
TOPICS: Security, Apps, Mobile OS
4

Mobile banking apps are architected to be secure and transactions are channeled through encrypted tunnels, but these measures are not enough to safeguard users if the mobile operating system is inherently vulnerable or if the handset is already compromised by malware.

Bogdan Botezatu, senior security researcher at BitDefender, said mobile banking apps are designed to send financial or personal data via encrypted Web channels such as HTTPS (Hypertext Transfer Protocol Secure).

mobileapps
Mobile banking apps rely on tools such as HTTPS and sandboxing to keep safe, but operating system vulnerabilities may render such measures useless anyway.

In order to conduct an attack, cybercriminals would have to set up another mobile app to act as the man-in-the-middle layer as well as gain root privilege and deploy certificates for the particular handset. With these in place, they can then tunnel information out of the device, Botezatu explained.

However, such an attack has yet to be sighted in the wild since it is too complex to implement in commercial-grade malware, he added.

Michela Menting, senior analyst at ABI Research's cybersecurity unit, added mobile banking apps can also be secured by adhering to the OS maker's sandbox requirements.

Sandboxing generally refers to app designs adhering to a prescribed set of application programming interfaces (APIs) within a designated parameter, and there's no data permanence or ability to access resources or data from the handset outside of the sandbox.

Standard payment transactions will also have to adhere to ISO 8583, which is the international standard for the command sequences used on ATM networks, Menting noted.

Alternatively, banking transactions can use the Open Financial Exchange (OFX) protocol, a transaction format standard used by most financial institutions to support transaction interactions between Quicken and Microsoft Money Personal Financial Manager Applications, she added.

OS vulnerabilities a risk

That said, the risks related to the mobile operating system's vulnerabilities and the wireless network can provide a way in for attackers to either intercept or spy on the user's banking transactions, Menting pointed out.

These risks are increased when users jailbreak their devices, regardless if it is Apple's iOS or Google's Android powering the handset, she added.

"It won't matter how secure the app is. If the environment hosting it is insecure, then banking transactions and authentication information can be compromised," the ABI analyst said.

Marc Bown, SpiderLabs managing consultant at Trustwave Asia-Pacific, agreed, saying mobile apps are not protected from the vulnerabilities of the OS.

Even though these apps have protection such as sandboxing, it has been proven these security layers can be overcome, he noted.

Menting identified Android OS as particularly risky, given the many third-party app stores available which provides platforms for cybercriminals to distribute fake banking apps. Security firm Blue Coat released a report this month stating 40 percent of Android malware was delivered via "malnets", or networks designed to deliver malicious payloads. "[This demonstrates] how cybercriminals can successfully utilize embedded infrastructures to attack mobile users," it stated.

Luis Corrons, senior technical director of Panda Security's PandaLabs, said once the cybercriminal gains full access to the mobile phone, no communications made on the device is really safe.

For example, a remotely-controlled device can uninstall the real banking app and install a rogue one with the same look and feel. The user will not know it is not the same app and all his information will go to the attackers, Corrons observed, adding this is currently just a theory and has not happened in reality.

Mobile browsers equally susceptible
Menting also said banking transactions made on mobile browsers are not safe either. After all, even non-jailbroken devices can contain malware such as spyware installed through third-party apps which are able to spy on browser and app activities, she said.

Corrons went one further, saying banking on the mobile browser would be more vulnerable since people often use the browser for other Web surfing which might lead to other online threats.

Ultimately, Menting believes to secure a mobile banking app is to deploy authentication methods that cannot be easily copied or intercepted. Two-factor authentication, for instance, uses physical token generators and are not stored within one's mobile device, she pointed out.

A DBS Bank spokesperson told ZDNet Asia its mobile banking app protects users against the vulnerabilities of the OS by logging users out automatically when they close the app, and authenticating users with 2FA transactions.

Topics: Security, Apps, Mobile OS

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Nothing new here

    If the OS is infected, any application could be at risk.
    Gisabun
  • "These risks are increased when users jailbreak their devices..."

    Never trust a "security" expert who spouts bullshit like that.
    ldo17
    • You got it Backwards:

      you should never trust a "security expert" who DENIES it. One an iOS device is 'jailbroken', or an Androd device rooted, an application can get root privileges much more easily. So once a malicious app gets on the device (a separate problem), it is much easier for it to seize total control.

      Otherwise, even if amalicious app does find its way onto the device (unlikely if you download only from the official market), it is hard for it to get permissions to do anything.
      mejohnsn
      • Re: an application can get root privileges much more easily.

        Apps on IOS already have the equivalent of "root privileges"--remember, it doesn't have an Android-style sandboxed permissions model, an app is allowed to do anything once it has been accepted into Apple's app store.

        Third-party versions of Android, on the other hand, can offer additional security features above and behind those in standard builds. Like being able to selectively deny permissions to already-installed apps, and regulate network bandwidth usage on a per-app basis.
        ldo17