How safe is your mobile banking app?


Mobile banking brought about what is probably the biggest revolution in banking industry so far – the convenience of ‘banking on the go’. With the spread of smart phones, mobile banking increased in popularity, so much so that IDC expects mobile payments will exceed 1 trillion by 2017. But with this convenience of anytime anywhere banking, came a host of security concerns. A study of banking apps last year revealed almost 90% contained critical security issues.

Let us look at some of the common vulnerabilities oft-encountered in mobile banking apps:

1. Cross site scripting: This is the technique in which the app accepts a malicious piece of code as coming from a trusted website. The malicious scripts allows attackers to get away with sensitive information, including user credentials.

2. Man in the middle attacks: If apps do not validate the authenticity of SSL certificates presented to them, they stand a good chance of being susceptible to MiTM attacks. In such attacks, the attacker intercepts client-server messages and transmits them after substituting his or her own keys in the exchange, so that the two legitimate parties still appear to be talking to each other.

3. SQL Injections: In this type of vulnerability, an attacker injects SQL commands in data entry fields to trick the application into delivering user specific data or seeding malicious data. The attacker can even alter or delete data leading to severe consequences.

4. Command Injections: Vulnerable apps are made to execute arbitrary commands on the host OS. This is made possible largely due to insufficient input validation. When an application passes unsafe user supplied data like forms and cookies, an attacker may use them to execute commands using the privileges of the vulnerable app.

5. Vulnerable UIWebView implementation: An attacker may inject false HTML forms to trick users into entering their credentials and send it to a malicious site. The app is made to load the malicious site by passing the URL to the UIWebView object.

6. Information leakage: An app may inadvertently disclose sensitive data including user specific data and technical details of the application and environment. The reasons for this could be caching issues or improper storage of encrypted data including personally identifiable data and account or card related data.

7. Authentication and Authorization: The app may not adequately protect authentication information to avoid breach and replay of user login. This could be due to lack of strong encryption standards, password guidelines or feature and ACL enforcement.

8. Cross site request forgery: An attacker leverages an authenticated and active session to execute unauthorized commands. The app may be tricked into performing operations like transferring funds or changing the email id etc.

So, what can you do as a mobile banking app user?

Most of the vulnerabilities mentioned above may be beyond your control but here are a few things you can do to protect your account and your personal information:

  • Lock your phone with a PIN or password instead of a pattern
  • Install App Lock in Android phones to protect app from unauthorized use
  • Avoid storing sensitive information on your phone
  • Do not download apps from untrusted sources
  • Opt for two-factor authentications for important transactions
  • Use security software to guard against spyware, malware and other malicious attacks

And as a business, how do you secure mobile apps?

Using automated scanning tools can help to detect flaws with accuracy. Over the last few years, Gallop has built a repository of security test cases and developed capabilities using both open source and commercial security testing tools. Gallop has also established Security Testing Center of Excellence which has enabled Gallop to provide cutting edge security testing services across industry domains, operating systems and devices. Speak to us at Gallop to know more about our expertise.

For more information on securing mobile apps, view recording of Gallop’s recent webinar on ‘Mobile Application Security Testing Right before your Eyes’.

The opinions expressed in this blog are author's and don't necessarily represent Gallop's positions, strategies or opinions.