Developers required to fix bugs in applications within 180 days under new Microsoft policy
Developers required to fix bugs in applications within 180 days under new Microsoft policy

A critical security bug put millions of banking app users at risk, according to researchers from the University of Birmingham.


The vulnerability affected a host of otherwise well-secured banking apps, including ones from high-street brands such as HSBC, NatWest and Co-op banks, and potentially enabled a hacker to launch a man-in-the-middle (MitM) attack to steal usernames and passwords.


After creating a tool called ‘Spinner' that carried out ‘semi-automated security testing' of apps, the researchers uncovered the issue, which centres around TLS “certificate pinning”. This normally enhances connection security, but if not implemented correctly can allow potential attackers access.


The researchers presented their findings in a paper, summarising the certificate pinning issue: “By proxying TLS connections with a trusted certificate for an unrelated hostname, one cannot distinguish whether the app rejects the connection because the hostname is invalid, or because a chain of trust cannot be established due to pinning being in use. While pinning to the server public key would be secure, to test for apps that pinned to higher up the certificate chain, we obtained a free Comodo certificate for our own hostname and found that this certificate was accepted by apps from Natwest and Co-op bank, meaning that these apps could be MITMed and were not secure…”


Amit Sethi, principal consultant at Synopsys explained: “Certificate pinning is often used by mobile apps to ensure that they are communicating with the right server(s). It enables organisations to avoid some of the issues associated with Public Key Infrastructure where any one of hundreds of certificate authorities can issue certificates for any server. However, implementing certificate pinning requires dealing with cryptography, which is difficult to get right. A poor certificate pinning implementation could result in an application being more vulnerable to man-in-the-middle attacks than if it simply relied on Public Key Infrastructure.

“Organisations can ensure that their users' apps are up to date by having their apps send version information to their servers whenever they are started. They can then choose to deny service to old versions of the apps. This is not a trivial feature to implement however and if an attacker can perform a man-in-the-middle attack, then this protection can be bypassed.”


The researchers worked with the UK's National Cyber Security Centre (NCSC) to liaise with affected institutions, and the vulnerability has now been patched by the banks.


Mark James, security specialist at ESET, commented: ''Mobile banking is always a concern, wherever you do it; it's one of those things that seems like a great idea until you start to list all the “what if's”. This is no different! You think you're talking with your bank, and your bank thinks it's talking to you, but essentially there is someone in the middle, handling all your sensitive data. The problem is, most of the time you will never know! Using financial services through your mobile device, either a smartphone or tablet, should ideally be done through your cellular connection if possible, or if not then through a VPN to minimise the chances of your connection being hijacked.”


David Emm, principal security researcher at Kaspersky Lab told SC Media UK that consumers and businesses alike needed to sharpen up: “It's good to see the banks respond quickly to fix their apps, clearly showing that they are conscious of the need to make them as secure as possible.  But consumers also need to take care when banking online – updating their device as soon as updates become available, securing their devices, using secure wi-fi for confidential transactions or using VPN technology to secure their transactions are all efficient ways of ensuring protection”

The full research paper (pinner: Semi-Automatic Detection of Pinning without Hostname Verification) was presented at the 33rd Annual Computer Security Applications Conference in Orlando, Florida last week - an initial version is here.