Researchers demo iOS banking app hack

Mobile banking transactions may be on the rise, but banks may face an uphill struggle to keep them secure from cyber-criminals.

Researchers demo iOS banking app hack
Researchers demo iOS banking app hack

Researchers from Arxan, an application security company which specialises in reverse engineering, recently demonstrated how hackers can use ‘method swizzling' and a rogue application to compromise a user's online banking and, consequently, steal and transfer money out of the account.

In a live demonstration to SCMagazineUK.com, Winston Bond, sales engineer and security solutions architect at Arxan, showed how a rogue application – downloaded from an unofficial app store like Cydia or even Apple's own App Store - can be used in conjunction with ‘method' swizzling to compromise a jailbroken iOS device, and the mobile banking application running on it.

[Bond did admit that if the app were to pass Apple's App Store review process, it would not remain available to download for long].

In this case, the applications used for the hack were test versions created entirely to show off how hackers could connect to bank servers. The rogue application was, in this case, for showing the co-ordinates from the iPad's accelerometer, but both Bond – and Arxan director of EMEA sales Mark Noctor – concurred that hackers could well look to create a more popular app, such as a clone of the popular Flappy Birds game, in order to simultaneously pilfer money from thousands of bank accounts.

“You could be on three million devices before you know it,” said Noctor, when speaking about how a bogus popular game application could be used to compromise an iOS banking app.

On the attack itself, Bond said that method swizzling is ‘very easy' from the attackers perspective. Method swizzling is a feature of Apple's Objective C runtime programming language, which is often used by iOS developers to exchange one method for another, making it useful for usage logging, performance, or even adding or augmenting features. 

In addition, method swizzling is often used in the jailbroken community for user interface (UI) tweaks, and changing gesture controls. Fortunately, this kind of attack is only viable if the device has been jailbroken.

Quizzed by SCMagazineUK.com on whether this reduces the threat that this kind of remote reverse engineering attack could be used on popular mobile banking apps, Bond said: “Yes, a relatively small number of people have jailbroken [their devices] but it's not insignificant.”

The company's demonstration came after it released its 'State of Security in the App Economy' report, which revealed that 78 percent of the leading 100 iOS and Android apps have been hacked.

Both Bond and Noctor are mindful that attackers are grouping into organised gangs, and increasingly attacking applications that can make money. As a result, some banks appear to be very wary of the threats facing online banking.

“Some banks are paranoid, and it's to that extent that they find us,” said Noctor, who added that forward-thinking banks are starting to embrace two-factor authentication. Arxan's technology is able to detect compromised applications and jailbroken devices, allowing access to be shut off or for transactions to be limited, and the company says it is working with numerous mid to large-sized banks in Europe.

Trustwave senior security consultant Neal Hindocha, who showed how touchlogging can be an issue on iOS and Android devices at RSA 2014, told SCMagazineUK.com that while method swizzling is often used for good by app developers, security researchers and jailbreakers - it can also be used by hackers seeking to perform man-in-the-middle (MiTM) attacks.

"What developers need to do is to force attacks onto their app. They need to assume that it's working in a hostile environment," said Hindocha. Caleb Barlow, director of application, data and mobile security at IBM, further urged developers to scan app source code for vulnerabilities, ensure apps can identify mobile malware and harden them to ensure transaction integrity.

"Mobile applications are relatively easy to attack and rogue variants of legitimate applications are rapidly becoming the problem on mobile," said Barlow.

Arxan's demonstration came just days after the British Bankers Association reported that mobile banking transactions had doubled, to 5.7 million mobile transactions a day, in the space of a year.

Jason Hill, lead security researcher at Websense, told SCMagazineUK.com that the increase in popularity of cashless payments is likely to be matched by bad guys with bad intentions.

“Cashless payment methods and the reliance on mobile technologies is only likely to increase in the future,” he said.

“Given this, users need to increase their personal security awareness to ensure that they utilise all of the security controls that are available to them. Financial institutions are also likely to continue to evaluate suitable authentication and security mechanisms which, hopefully driven by consumer demand for enhanced security, will lead to suitable measures being deployed across the board.”