Banking apps not safe from OS vulnerabilities

Mobile banking apps are architected to be secure and transactions are channeled through encrypted tunnels, but these measures are not enough to safeguard users if the mobile operating system is inherently vulnerable or if the handset is already compromised by malware.

Bogdan Botezatu, senior security researcher at BitDefender, said mobile banking apps are designed to send financial or personal data via encrypted Web channels such as HTTPS (Hypertext Transfer Protocol Secure).

In order to conduct an attack, cybercriminals would have to set up another mobile app to act as the man-in-the-middle layer as well as gain root privilege and deploy certificates for the particular handset. With these in place, they can then tunnel information out of the device, Botezatu explained.

However, such an attack has yet to be sighted in the wild since it is too complex to implement in commercial-grade malware, he added.

Michela Menting, senior analyst at ABI Research's cybersecurity unit, added mobile banking apps can also be secured by adhering to the OS maker's sandbox requirements.

Sandboxing generally refers to app designs adhering to a prescribed set of application programming interfaces (APIs) within a designated parameter, and there's no data permanence or ability to access resources or data from the handset outside of the sandbox.

Standard payment transactions will also have to adhere to ISO 8583, which is the international standard for the command sequences used on ATM networks, Menting noted.

Alternatively, banking transactions can use the Open Financial Exchange (OFX) protocol, a transaction format standard used by most financial institutions to support transaction interactions between Quicken and Microsoft Money Personal Financial Manager Applications, she added.

OS vulnerabilities a risk

That said, the risks related to the mobile operating system's vulnerabilities and the wireless network can provide a way in for attackers to either intercept or spy on the user's banking transactions, Menting pointed out.

These risks are increased when users jailbreak their devices, regardless if it is Apple's iOS or Google's Android powering the handset, she added.

"It won't matter how secure the app is. If the environment hosting it is insecure, then banking transactions and authentication information can be compromised," the ABI analyst said.

Marc Bown, SpiderLabs managing consultant at Trustwave Asia-Pacific, agreed, saying mobile apps are not protected from the vulnerabilities of the OS.

Even though these apps have protection such as sandboxing, it has been proven these security layers can be overcome, he noted.

Menting identified Android OS as particularly risky, given the many third-party app stores available which provides platforms for cybercriminals to distribute fake banking apps. Security firm Blue Coat released a report this month stating 40 percent of Android malware was delivered via "malnets", or networks designed to deliver malicious payloads. "[This demonstrates] how cybercriminals can successfully utilize embedded infrastructures to attack mobile users," it stated.

Luis Corrons, senior technical director of Panda Security's PandaLabs, said once the cybercriminal gains full access to the mobile phone, no communications made on the device is really safe.

For example, a remotely-controlled device can uninstall the real banking app and install a rogue one with the same look and feel. The user will not know it is not the same app and all his information will go to the attackers, Corrons observed, adding this is currently just a theory and has not happened in reality.

Mobile browsers equally susceptible
Menting also said banking transactions made on mobile browsers are not safe either. After all, even non-jailbroken devices can contain malware such as spyware installed through third-party apps which are able to spy on browser and app activities, she said.

Corrons went one further, saying banking on the mobile browser would be more vulnerable since people often use the browser for other Web surfing which might lead to other online threats.

Ultimately, Menting believes to secure a mobile banking app is to deploy authentication methods that cannot be easily copied or intercepted. Two-factor authentication, for instance, uses physical token generators and are not stored within one's mobile device, she pointed out.

A DBS Bank spokesperson told ZDNet Asia its mobile banking app protects users against the vulnerabilities of the OS by logging users out automatically when they close the app, and authenticating users with 2FA transactions.