/>
X
Innovation

Security holes in PayPal's iPhone app

A security research firm has discovered several security problems with PayPal's iPhone app, warning that hackers can use man-in-the-middle attacks to steal sensitive user data.
ryan-naraine.jpg
Written by Ryan Naraine on

A security research firm has discovered several security problems with PayPal's iPhone app, warning that hackers can use man-in-the-middle attacks to steal sensitive user data.

The vulnerabilities, reportedly fixed by PayPal, could be exploited to allow a hacker to hijack a user's PayPal password.

According to an audit of the app by Chicago-based viaForensics, the vulnerability stems from the app's failure to confirm the authenticity of PayPal's website when communicating over the Internet.

Without that confirmation, a hacker could electronically step between a user and PayPal, pretend to be the PayPal website and gather usernames and passwords. The hacker would need to be in the same physical location as the user or have gained access to the same Wi-Fi network.

In practice, that could mean setting up a Wi-Fi hotspot in a location, such as a train station, and waiting for someone to use the network for a PayPal transaction on their iPhone app. It would be a fishing expedition, but the equipment and software needed is commonly available.

viaForensics found that the PayPal iPhone app failed to securely store application data on the device, failed to securely store the user's username and failed several additional security tests.

The PayPal Android app did not suffer from these security failures, viaForensics said.

The company said it conducted several additional tests against publicly available mobile applications for insecure transmission or storage of sensitive user data.

Here's a basic summary of the findings:

  • Some applications did not validate security certification and were vulnerable to man-in-the-middle (MITM) attacks providing full user name, password and account data.
  • Some applications saved your password in clear text (i.e. no encryption).
  • Some applications insecurely saved your data to the smart phone, allowing recovery of all financial information viewed in the application.

viaForensics did not identify any of the other vulnerable smartphone apps.

Editorial standards

Related

How to use your phone to diagnose your car's 'check engine' light
BlueDriver Bluetooth dongle

How to use your phone to diagnose your car's 'check engine' light

Don't let Janet Jackson's 'Rhythm Nation' crash your old laptop
the-old-hard-disk-drive-is-disintegrating-in-space.jpg

Don't let Janet Jackson's 'Rhythm Nation' crash your old laptop

Elon Musk drops details about Tesla's humanoid robot
tesla-humanoid

Elon Musk drops details about Tesla's humanoid robot