iOS banking apps security still not good enough, says researcher

Friday 18th December 2015 16:03 GMT Bob Dole (tm)

Name and shame

I really think these people need to get over the idea of not naming companies that are absolutely failing.

"Hey, there's some number of mobile banking apps that are horrible! However, we're not going to tell you which ones; good luck!"

If you really want this fixed, then name them. I guarantee you if the First National Bank of XYZ's name shows up on a list of Insecure Apps then they will move heaven and earth to fix it. And, please, don't tell me that naming them will cause hackers to jump all over it. Guess what - the hackers already know which ones are bad. The only people who don't are the customers.

Basically - without that information, everything else in this article is meaningless.

26 0 Reply
1. Friday 18th December 2015 16:20 GMT caffeine addict
  
  Re: Name and shame
  
  If you shame the list of banks, they'll just say "we take security seriously and we'll be looking into this immediately".
  
  What you need to do is tell the banks, then publicly announce the vuln and say you'll make the list of banks public in 30 days. Those that actually give a shit will fix it and get out ahead of the story. Those that don't give a damn about security will get doubly shamed when the names go public and they're seen to not take it seriously.
  
  9 0 Reply
  1. Friday 18th December 2015 16:30 GMT Anonymous Coward
    
    Re: NWhat you need to do
    
    is tell the banks, then publicly announce the vuln and say you'll make the list of banks public in 30 days.
    
    In the UK that would get you a spell in jail .....
    
    0 0 Reply
    1. Friday 18th December 2015 23:04 GMT Anonymous Coward
      
      Re: NWhat you need to do
      
      For a "threat" against the bank or for revealing the vulnerability? If the former, the law just encourages you to skip the grace period and make the problems public immediately.
      
      Though to be honest, flaws that store information unencrypted in the filesystem don't really worry me that much. If it is your password being stored, they have to get hold of your unlocked phone to have a chance of accessing that, but if they have possession of your unlocked phone they can just start the app which presumably is using that password for autologin purposes so you're screwed either way! If it is your balance etc. being stored unencrypted, there are plenty of other ways to get that already, like stealing your mail, hacking into your email, fishing a receipt out of the trash after you've visited an ATM, etc.
      
      0 0 Reply
    2. Sunday 20th December 2015 17:38 GMT Vic
      
      Re: NWhat you need to do
      
      In the UK that would get you a spell in jail
      
      On what grounds?
      
      Vic.
      
      0 0 Reply
      1. Monday 21st December 2015 15:57 GMT caffeine addict
        
        Re: NWhat you need to do
        
        Only thing I can think AC meant is blackmail, but you would need to have some money/services transfer for that.
        
        0 0 Reply
  2. Sunday 20th December 2015 05:58 GMT Michael Thibault
    
    Re: Name and shame
    
    I get the private heads-up, then a public announcement of the general state of the world, and, eventual making the list of apps considered public.
    
    Alternatively, skip the last part and do a follow-up, unannounced and naming names, some time after the public annnouncement of the general lay of things. No possibility of interpreting that as a shake-down, or as a threat.
    
    However, the convention of 30 days is a courtesy and a mis-guided convenience to businesses (banks, in this case)--particularly if it becomes more and more entrenched, as that will give businesses ample opportunity to scramble to protect what really matters: their public image. In the publishing regime under consideration, there isn't any in-built incentive for businesses to do more than foist the security assessment on someone else (researchers, for example), and the costs onto users/clients. That incentive is necessary if there's any expectation that businesses will become otherwise than simply reactive to security issues brought to their attention from without. The unannounced that-was-then-and-this-is-now assessment might serve that purpose, if it--instead--becomes the convention.
    
    0 0 Reply
Friday 18th December 2015 16:20 GMT Zog_but_not_the_first

Banking on a phone?

Nah!

7 1 Reply
1. Friday 18th December 2015 17:10 GMT Nate Amsden
  
  Re: Banking on a phone?
  
  Damn right. No banking or health related personal data touches my phone or tablets.
  
  Only purchases I've ever made on mobile are from the google play store (and HP store back when I used webos). Even then only used BofA shopsafe credit cards. I'm more than happy using my laptop for such things instead. I'm not in a hurry.
  
  Almost all "apps" want too many permissions so I don't even install them on my phone.
  
  5 0 Reply
  1. Friday 18th December 2015 17:37 GMT BebopWeBop
    
    Re: Banking on a phone?
    
    Absolutely. I have plenty of ways of losing my money through laziness, incompetence or naivite. Why add to the mix and let someone else help, especially as I suspect the banks will fight tooth and nail to deny me any redress for their errors.
    
    5 0 Reply
2. Saturday 19th December 2015 00:09 GMT jonathanb
  
  Re: Banking on a phone?
  
  How does it compare in terms of security with banking on a website, with all the security problems web browsers and the operating system thy run on have?
  
  4 0 Reply
  1. Sunday 20th December 2015 09:45 GMT Adrian Harvey
    
    Re: Banking on a phone?
    
    It varies bank by bank of course, but for my bank (ANZ) it's more secure on mobile. That's because when you initially set it up it creates secure device credentials (which you can check from the app and invalidate lost/sold/stolen devices). It is then not sending my password over the net (encrypted or not passwords shouldn't be sent - the web is leading us astray here)
    
    0 0 Reply
Saturday 19th December 2015 18:18 GMT Anonymous Coward

the title is misleading

It make it sound like iOS is the issue. It is just plain bad programming/architecture on the banks side

1 0 Reply
Saturday 19th December 2015 18:18 GMT Anonymous Coward

The title is misleading

It make it sound like iOS is the issue. Not verifing the cert is plain programming issue on the banks. I bet if the researcher bother to look into the android version it contains the same issue.

1 0 Reply
1. Sunday 20th December 2015 17:03 GMT Anonymous Coward
  
  Re: The title is misleading
  
  Not really, despite what you have been lead to believe by untrustworthy secuirty companies, the inner workings of android is more secure than iOS. An area in particular is sandboxing and inter-app communication. There is only one method on Android (intents) and there is no way to disguise this. On iOS its far easier to covertly access other apps data. It's was happening for years that many apps were upyo no good on iOS stealing data and uploading it without consent. Some of the holes were plugged with blu tak and sellotape, but many still remain. IOS was never designed with security in mind, it was tacked on afterwards.
  
  http://venturebeat.com/2012/02/14/iphone-address-book/
  
  0 1 Reply
  1. Monday 21st December 2015 09:30 GMT Naselus
    
    Re: The title is misleading
    
    Regardless, Apple can't really be blamed for this one - and it's not exactly out of character for banks to be utterly disinterested in mobile banking security, is it? They managed to shift all the risks onto the user and if it's hacked then they just claim that the user must have been careless with their passwords etc. Until the banks are made more accountable for the loss (like they are with in-person fraud) they have no real incentive to tighten up.
    
    0 0 Reply