Researcher revisits issue of insecure iOS mobile banking apps

Problems and vulnerabilities still abound in mobile banking apps despite improvement over the last two years.

Security consultant Ariel Sanchez of IOActive has returned to research a topic carried out two years ago to achieve a global view on the state of mobile banking app security. 

He discovered that five of 40 audited mobile banking apps for iOS in use around the world failed to validate authenticity of SSL certificates presented. This exposes them to Man-in-The-Middle (MiTM) attacks.

Thirty percent of the apps also failed to validate incoming data, leaving them potentially open to JavaScript injections.

Over 35 percent of the apps had non-SSL links within the application, allowing attackers to hijack traffic and inject erratic JavaScript/HTML code to try and make a fake login prompt or something similar.

Research on binary and file systems showed that 15 percent of the apps store unencrypted and sensitive information such as personal details of customers' banking accounts and transaction histories.

Sanchez said in a blog post, “Although the numbers are down overall, there are still a high number of apps storing insecure data in their file system. Many of them are still susceptible to client-side attacks. While overall security has increased over the two-year period, it is not enough, and many apps remain vulnerable.”

Sign up to our newsletters