On 6th December researchers from the University of Birmingham announced that they had found a security flaw that had 10 million banking app users at risk.
The researchers have developed a tool to perform semi-automated security testing of mobile phone apps. After running the tool on a sample of 400 security critical apps, they were able to identify a critical vulnerability in banking apps; including apps from HSBC, NatWest, Co-op and Bank of America Health. This vulnerability allowed an attacker, who is connected to the same network as the victim (e.g., public WiFi or corporate), to perform a so called “Man in the Middle Attack” and retrieve the user’s credentials such as username and password/pin code.
Winston Bond, Technical Director EMEA at Arxan, had this to say on this research and the measures that consumers and banks should be taking to mitigate these risks:
“Banks should fix vulnerabilities as quickly as they can and push updates to their customers. One of the issues highlighted by this research is that users of older Apple devices, that are restricted to older iOS versions, can’t pick up any updates once the app developer moves the minimum OS version for the app beyond their version. They are stuck on the last compatible version, with whatever bugs and vulnerabilities that includes.
For banks and other organisations to protect themselves from outdated apps every major app developer has to balance the relentless pressure to adopt the latest iOS features against the need to keep updating the users of older devices.
For users the best advice is to keep as up-to-date as they can. RBS and Natwest customers with the same old Apple device that the researchers used (probably a 1st generation iPad, which is limited to iOS 5.1.1) should probably think about using something else for their banking. At the very least, they should be wary of public WIFI networks.
Certificate pinning is a way to make sure that a mobile app will only talk directly to the server that it is meant to. All the communications traffic is strongly encrypted and it can only be understood when it gets to the right place. In this case, it stops anyone getting between you and the bank and seeing how much money you have in your account or changing the details when you tell the bank to pay someone.
There are several ways to implement certificate pinning, with some trade-offs between flexibility and security. The latest best practise that we see in Arxan’s customers is very much at the “Secure” end of that spectrum. Which is good, because the research from this team shows that allowing too much flexibility will allow a smart attacker to break the system.
The University of Birmingham team has managed to carry out these attacks while following the app store license agreement rules that prohibit reverse engineering or modification of apps. Real attackers won’t play so nicely.
Arxan’s customers reinforce their effective certificate pinning with measures that hinder reverse engineering and stop attackers changing the app to break the certificate pinning.”