Banking

Mobile banking apps may be vulnerable: Testing and results

Mobile-banking applications are a nice convenience, but are they secure as they need to be? If you use your bank's app, you need to learn what I found out.

Banking apps for mobile devices are increasing in popularity. Estimates by the financial-services firm TowerGroup suggest there will be 53 million people using mobile-banking apps by 2013.

My bank recently rolled out its own iPhone app. I downloaded it and was just about to check it out. Then, paranoia. If you read my article about whether online banking is safe or not, you will understand. What do I know about this app?

So, I started looking into mobile-banking apps. It did not take long to find out security advocates also have concerns. Spencer Ante of the Wall Street Journal raises a warning in: "Banks Rush to Fix Security Flaws in Wireless Apps." Here is the lead paragraph:

"A number of top financial companies and banks such as Wells Fargo & Co., Bank of America Corp., and USAA are rushing out updates to fix security flaws in wireless-banking applications that could allow a computer criminal to obtain sensitive data like usernames, passwords, and financial information."

The same article mentions viaForensics, a company specializing in securing mobile applications, as the firm discovering the vulnerabilities. Good for them. My question is, why is this even happening? It is not complicated. Our banking credentials should be considered sacred, period.

On a good note, viaForensic's web site mentions their researchers are working with the affected financial institutions: "Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws."

The blog post goes on to say: "Since that time, several of the institutions have released new versions and we will post updated findings shortly."

In the quote, viaForensics mentioned publishing new test results. That refers to their online service called appWatchdog.

Within days and to their credit, most of the banking firms pushed out updates to remove the vulnerabilities. The following appWatchdog slide displays the results from testing Wells Fargo's app for Android phones on November 3, 2010:

Three days later, the same Android app from Wells Fargo passed every test:

Why worry then?

It appears mobile-banking applications are getting fixed. It also was pointed out that viaForensics found vulnerabilities, not actual attacks. So there is nothing to worry about. Not quite, I talked to experts that disagree.

One researcher in particular voiced the following concerns:

  • Most mobile devices are so new, security apps are not available.
  • Keeping member's banking information secure should be a no-brainer, yet it is not so.
  • PCs are still a target-rich environment, so criminals are not yet focused on creating mobile-phone malware.

The researcher's first two concerns rang true. The third concern intrigued me, meaning I need to learn more about that. I came across this article, quoting Sean Sullivan of F-Secure. So far in 2010, F-Secure detected 67 strains of smart-phone malware compared to thousands aimed at PCs.

The difference is insignificant, but Mr. Sullivan also mentioned this year's total was nearly double last year's. So, stay tuned.

What's the answer?

For right now, if banking online is a must, using a dedicated PC, LiveCD, or a bootable flash drive are still the best solutions.

Final thoughts

Not sure what it all means -- is it FUD or are we making the same mistakes we do banking online with PCs? What do you think?

Update: November 29, 2010

Andrew Hoog, Chief Investigative Officer for viaForensics contacted me today. They tested five new mobile applications: Groupon, Kik Messenger, Facebook, Dropbox, and Mint.com. All the applications failed to securely store username and application data. More troubling, four applications: Groupon (Android), Kik Messenger (Android), Kik Messenger (iPhone), and Mint.com (Android) were storing passwords as plain text.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

18 comments
JCitizen
JCitizen

my smart phone OS is more secure that yours! Even though it is usually always the applications that break things! I would be interesting to know if any of them were considered more secure. I always heard BlackBerrys were supposed to be pretty good, but some of the ones with Windows mobile on them are already getting pwned. Of course the favorite should be Unix, but who am I to say anyway?

thinw002
thinw002

Do applications really need to store the non-personal data securely? Usernames and passwords are a whole different story but the application cache?

seanferd
seanferd

It really baffles me that banks would release apps insecure on such basic points. That is just the height of stupidity. But I am impressed that they got on board and fixed the apps without suing the security researchers. I'm also a bit baffled by this bit: Most mobile devices are so new, security apps are not available. While additional security apps are always a treat, the banks' apps should be secure in themselves, right? I don't see why that is a concern in this case, aside from the banking apps themselves not being secure. Securing those should not be the job of yet another app. Further, does this statement imply that "new" mobile devices, as bought and received, have no basic security for the usual private data normally associated with such devices baked into the standard OS and apps? I think that would be a bit of a showstopper for me, as a customer.

Michael Kassner
Michael Kassner

A security company, viaForensics has an web page that displays security test results for mobile-banking applications. If you use a banking app, check it out. Edit: Spelling

JCitizen
JCitizen

I saved that one in my favorites! :)

seanferd
seanferd

Surprise! Still nothing?

Michael Kassner
Michael Kassner

Any information that makes it easier for a criminal to gain your banking credentials and access to your accounts needs to be secure. The problem is that there is no real regulation as to what can be stored, so the best approach right now is protect all of it.

seanferd
seanferd

for a banking app is, by definition, sensitive personal data.

Michael Kassner
Michael Kassner

The reference was to anti-malware apps that would protect the smart phones from credential-stealing malware.

seanferd
seanferd

In which case, it may make no difference whether the banking app is secure or not. I must admit that it bugs me to think of mobile devices which are not provided with decent anti-malware security out of the box. It's one thing if there is already an ecosystem with a variety of products to choose from, but phones, especially, you should be able to unwrap, turn on, and go.

Michael Kassner
Michael Kassner

It is a three-step process. Malware gets installed, finds unencrypted username and password, then sends information to the bad guys. Edit: Spelling

seanferd
seanferd

bugs me to no end as well.