Mobile banking has become very popular due to convenient access to accounts and resources it provides.
Many popular banks now have mobile apps and I’m sure most of us have wondered just how secure they are.
Security researcher Ariel Sanchez at IOActive Labs took a look at 40 iOS banking apps and found they are not as secure as we’d hope.
Sanchez found that 50 percent of the apps he tested were vulnerable to JavaScript injections, 70 percent do not use multi-factor authentication, and most leaked data in logging output.
Surprising numbers, considering the personal data involved, another case of us putting our trust in developers creating a secure product.
The JavaScript attack would target the UIWebView class in iOS, allowing the attacker to inject a false web form that could capture banking credentials. A form of the bank Trojan’s favorite type of attack, the man-in-the-middle.
Multi-factor authentication has been slow to be adopted here in the U.S. and is a nice added layer of defense. Typically, we see it in the form of two-factor where confirmation via SMS or voice call is required.
You can read the full write-up here where IOActive goes into detail regarding other vulnerabilities.
The bank apps involved in the testing were not listed and have not been targeted based on their vulnerabilities to date.
IOActive has contacted the banks to share their findings, hopefully they will take Ariel’s discoveries seriously and look into updating their apps.
To keep safe while mobile banking always use a secure connection–no public WiFi, set-up multi-factor authentication–if offered, and log out of your account when done.