iOS banking apps security still not good enough, says researcher

Friday 18th December 2015 16:03 GMT Bob Dole (tm)

Name and shame

I really think these people need to get over the idea of not naming companies that are absolutely failing.

"Hey, there's some number of mobile banking apps that are horrible! However, we're not going to tell you which ones; good luck!"

If you really want this fixed, then name them. I guarantee you if the First National Bank of XYZ's name shows up on a list of Insecure Apps then they will move heaven and earth to fix it. And, please, don't tell me that naming them will cause hackers to jump all over it. Guess what - the hackers already know which ones are bad. The only people who don't are the customers.

Basically - without that information, everything else in this article is meaningless.

26 0 Reply
1. Friday 18th December 2015 16:20 GMT caffeine addict
  
  Re: Name and shame
  
  If you shame the list of banks, they'll just say "we take security seriously and we'll be looking into this immediately".
  
  What you need to do is tell the banks, then publicly announce the vuln and say you'll make the list of banks public in 30 days. Those that actually give a shit will fix it and get out ahead of the story. Those that don't give a damn about security will get doubly shamed when the names go public and they're seen to not take it seriously.
  
  9 0 Reply
  1. Friday 18th December 2015 16:30 GMT Anonymous Coward
    
    Re: NWhat you need to do
    
    is tell the banks, then publicly announce the vuln and say you'll make the list of banks public in 30 days.
    
    In the UK that would get you a spell in jail .....
    
    0 0 Reply
    1. Friday 18th December 2015 23:04 GMT Anonymous Coward
      
      Re: NWhat you need to do
      
      For a "threat" against the bank or for revealing the vulnerability? If the former, the law just encourages you to skip the grace period and make the problems public immediately.
      
      Though to be honest, flaws that store information unencrypted in the filesystem don't really worry me that much. If it is your password being stored, they have to get hold of your unlocked phone to have a chance of accessing that, but if they have possession of your unlocked phone they can just start the app which presumably is using that password for autologin purposes so you're screwed either way! If it is your balance etc. being stored unencrypted, there are plenty of other ways to get that already, like stealing your mail, hacking into your email, fishing a receipt out of the trash after you've visited an ATM, etc.
      
      0 0 Reply
    2. Sunday 20th December 2015 17:38 GMT Vic
      
      Re: NWhat you need to do
      
      In the UK that would get you a spell in jail
      
      On what grounds?
      
      Vic.
      
      0 0 Reply
      1. Monday 21st December 2015 15:57 GMT caffeine addict
        
        Re: NWhat you need to do
        
        Only thing I can think AC meant is blackmail, but you would need to have some money/services transfer for that.
        
        0 0 Reply
  2. Sunday 20th December 2015 05:58 GMT Michael Thibault
    
    Re: Name and shame
    
    I get the private heads-up, then a public announcement of the general state of the world, and, eventual making the list of apps considered public.
    
    Alternatively, skip the last part and do a follow-up, unannounced and naming names, some time after the public annnouncement of the general lay of things. No possibility of interpreting that as a shake-down, or as a threat.
    
    However, the convention of 30 days is a courtesy and a mis-guided convenience to businesses (banks, in this case)--particularly if it becomes more and more entrenched, as that will give businesses ample opportunity to scramble to protect what really matters: their public image. In the publishing regime under consideration, there isn't any in-built incentive for businesses to do more than foist the security assessment on someone else (researchers, for example), and the costs onto users/clients. That incentive is necessary if there's any expectation that businesses will become otherwise than simply reactive to security issues brought to their attention from without. The unannounced that-was-then-and-this-is-now assessment might serve that purpose, if it--instead--becomes the convention.
    
    0 0 Reply
Friday 18th December 2015 16:20 GMT Zog_but_not_the_first

Banking on a phone?

Nah!

7 1 Reply
1. Friday 18th December 2015 17:10 GMT Nate Amsden
  
  Re: Banking on a phone?
  
  Damn right. No banking or health related personal data touches my phone or tablets.
  
  Only purchases I've ever made on mobile are from the google play store (and HP store back when I used webos). Even then only used BofA shopsafe credit cards. I'm more than happy using my laptop for such things instead. I'm not in a hurry.
  
  Almost all "apps" want too many permissions so I don't even install them on my phone.
  
  5 0 Reply
  1. Friday 18th December 2015 17:37 GMT BebopWeBop
    
    Re: Banking on a phone?
    
    Absolutely. I have plenty of ways of losing my money through laziness, incompetence or naivite. Why add to the mix and let someone else help, especially as I suspect the banks will fight tooth and nail to deny me any redress for their errors.
    
    5 0 Reply
2. Saturday 19th December 2015 00:09 GMT jonathanb
  
  Re: Banking on a phone?
  
  How does it compare in terms of security with banking on a website, with all the security problems web browsers and the operating system thy run on have?
  
  4 0 Reply
  1. Sunday 20th December 2015 09:45 GMT Adrian Harvey
    
    Re: Banking on a phone?
    
    It varies bank by bank of course, but for my bank (ANZ) it's more secure on mobile. That's because when you initially set it up it creates secure device credentials (which you can check from the app and invalidate lost/sold/stolen devices). It is then not sending my password over the net (encrypted or not passwords shouldn't be sent - the web is leading us astray here)
    
    0 0 Reply
Saturday 19th December 2015 18:18 GMT Anonymous Coward

the title is misleading

It make it sound like iOS is the issue. It is just plain bad programming/architecture on the banks side

1 0 Reply
Saturday 19th December 2015 18:18 GMT Anonymous Coward

The title is misleading

It make it sound like iOS is the issue. Not verifing the cert is plain programming issue on the banks. I bet if the researcher bother to look into the android version it contains the same issue.

1 0 Reply
1. Sunday 20th December 2015 17:03 GMT Anonymous Coward
  
  Re: The title is misleading
  
  Not really, despite what you have been lead to believe by untrustworthy secuirty companies, the inner workings of android is more secure than iOS. An area in particular is sandboxing and inter-app communication. There is only one method on Android (intents) and there is no way to disguise this. On iOS its far easier to covertly access other apps data. It's was happening for years that many apps were upyo no good on iOS stealing data and uploading it without consent. Some of the holes were plugged with blu tak and sellotape, but many still remain. IOS was never designed with security in mind, it was tacked on afterwards.
  
  http://venturebeat.com/2012/02/14/iphone-address-book/
  
  0 1 Reply
  1. Monday 21st December 2015 09:30 GMT Naselus
    
    Re: The title is misleading
    
    Regardless, Apple can't really be blamed for this one - and it's not exactly out of character for banks to be utterly disinterested in mobile banking security, is it? They managed to shift all the risks onto the user and if it's hacked then they just claim that the user must have been careless with their passwords etc. Until the banks are made more accountable for the loss (like they are with in-person fraud) they have no real incentive to tighten up.
    
    0 0 Reply

Psst, free advice: You need a hybrid multi-cloud – and here are three reasons why

A tale of mainframes and students being too clever by far

AWS adds database on-ramp to its Arm-powered instances

Amazon gets green-light to blow $10bn on 3,000+ internet satellites. All so Americans can shop more on Amazon

Apple's big trouble in not-so-little China - culls 30,000 apps from its Middle Kingdom App Store in legal crackdown

Brit local authority appoints a systems integrator in leap to Oracle cloud, but support time-bomb is already ticking

Linus Torvalds pines for header file fix but releases Linux 5.8 anyway

Microsoft confirms pursuit of TikTok after Satya Nadella chats to Donald Trump

Days after Trump suggests pausing election over security, US House passes $500m for states to do just that

UK Defence Committee chair muses treating TikTok like Huawei: So eyeball its code then ban it from the country?

Linux Foundation rolls bunch of overlapping groups into one to tackle growing number of open-source security vulns

'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he means 'got insurance to pay off crooks'

Are your homegrown business apps as secure, fast and usable as they could be?

New Relic streamlines app monitoring tools, shifts to per-user, pay-as-you-go pricing, adds free tier to lure you in

Feeling unInspired? We can't help much with that, but there is a new .NET 5 preview and an Azure DevOps roadmap

Rancher rides off into the SUSE-set after acquisition by Linux outfit

In the halcyon days before Brexit, takeover attempts, and COVID-19, HP made 1.3% pre-tax profit on sales at UK limb

Struggling company pleads with landlords to slash rents as COVID-19 batters UK high street. The firm's name? Apple

Architect of tech contractor tax fraud scheme jailed for at least five years

Australia to force Google and Facebook to pay for news and reveal algorithm changes before they whack web traffic

Alarming news: ADT to flog Nest smart home kit after Google ploughs $450m into corporate security dinosaur

Dynabook Portégé X30L-G: So light, you might even forget about its terrible keyboard

Co-inventor of the computer mouse, William English, dies

World takes tablets during COVID lockdowns, with shipments spiking 18%

Virgin Galactic pals up with Rolls-Royce to work on Mach 3 Concorde-style private jet that can carry up to 19 people

Voyager 1 cracks yet another barrier: Now 150 Astronomical Units from Sol

And it's off! NASA launches nuke-powered, laser-shooting, tank Perseverance to Mars to search for signs of life

Boeing confirms it will finish building 747s in 2022, when last freighter flies off the production line

If you're on invite-only tech-testing scheme, take care with Amazon's Alexa-powered answer to Google's Glass

Microsoft to Cortana: you’re not going out dressed in iOS or Android, young lady!

US drugstore chain installed anti-shoplifter facial-recognition cameras in 200 locations – for eight years

Lizards for lunch? Crazy tech? Aliens?! Dana Dash: First Girl on the Moon is perfect for the little boffin-to-be in your life

The Last of Us Part II: Never mind the Metacritic nonsense, Naughty Dog's ultra-violent odyssey is a must-play*

An irritating itch down the back of your neck? Searing midsummer heat? Of course, it can only be SysAdmin Day

Elite name on Brit scene sponsors retro video games preservation project at the Centre for Computing History

Dutch Gateway store was kept udder wraps for centuries until refit dug up computing history

User topics

Article topics

User topics

Article topics

COMMENTS

Name and shame

Re: Name and shame

Re: NWhat you need to do

Re: NWhat you need to do

Re: NWhat you need to do

Re: NWhat you need to do

Re: Name and shame

Banking on a phone?

Re: Banking on a phone?

Re: Banking on a phone?

Re: Banking on a phone?

Re: Banking on a phone?

the title is misleading

The title is misleading

Re: The title is misleading

Re: The title is misleading

POST COMMENT House rules

Enter your comment

Add an icon

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

SIGN UP TO OUR NEWSLETTERS