Research from the University of Birmingham is bringing bad news for users of mobile apps from HSBC, Bank of America, Meezan Bank, and Smile Bank: All their apps are vulnerable to man-in-the-middle (MITM) attacks that could leave account credentials open to theft.

Five apps from HSBC contain the vulnerability (HSBC, HSBC Business, HSBCNet, HSBC Identity, and HSBC Private), bringing the total number of vulnerable banking apps to eight.

Considering that the apps collectively have tens of millions of users, eight is more than enough for this particular flaw to be a serious discovery.

A certificate pinning nightmare

Certificate pinning, where a certificate is only accepted if it is signed by a single Certificate Authority (CA) root certificate, is becoming a popular form of security for transport layer security (TLS) connections that transmit sensitive data over the internet. The University of Birmingham researchers found a flaw in pinning, however: It can “hide the lack of proper hostname verification, enabling MITM attacks.”

What that means is that pinned certificates, which can only be verified when signed by a single CA, are verifying the CA but not the hostname. This could allow a savvy attacker to intercept traffic, spoof the certificate, and hijack personal data. Account information and credentials, in other words, are open to whoever can capture them.

SEE: Special report: Riding the DevOps revolution (free PDF) (ZDNet/TechRepublic special feature)

To test this, the researchers built a tool called Spinner, which attempts the aforementioned attack. They were able to successfully intercept traffic on eight of the 400 apps they tested–pretty good statistics, but not for the millions of people that use those eight apps.

Normally, the research paper explained, “detection of this vulnerability would typically require the tester to own a high security certificate from the same issuer (and often same intermediate CA) as the one used by the app.” Spinner, however, doesn’t require that, and can intercept traffic and steal information without needing a single certificate.

“By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning,” the researchers said.

Problem solved? For now

All of the flawed apps the researchers found have reportedly been patched, so users don’t need to worry about the flaw being exploited. That may be little consolation for users of future apps that rely on certificate pinning, however.

The researchers state that adoption of certificate pinning has been slow due to a misunderstanding of its complication. As more apps begin implementing it to increase security they could end up exposing users to greater risks.

SEE: When are self-signed certificates acceptable for businesses? (TechRepublic Academy)

Incidents like these highlight the need for proper security testing. While the certificate pinning flaw found in this case was well hidden and–according to the researchers–probably not actually exploited, that doesn’t mean other vulnerabilities won’t be more noticable.

Users of the affected banking apps should be sure theirs is up to date. Developers planning to implement certificate pinning should run their apps through Spinner, which can be found on GitHub.

Update: After the publishing of this story, a Bank of America spokesperson contacted TechRepublic with the following statement: “The vulnerability identified was resolved in Bank of America’s Health app nearly two years ago in January 2016. The app is no longer available as of June 2017. At no time was customer information impacted.”

The top three takeaways for TechRepublic readers:

  1. A certificate pinning flaw has left tens of millions of users of eight banking apps subject to possible man-in-the-middle attacks. The flaw comes from pinned certificates not verifying the hostname.
  2. The research team that discovered the flaw developed a tool to test mobile apps using certificate pinning called Spinner. The app will be available in the future for other developers and testers to use.
  3. All of the apps that contained the flaw have since been patched. Users should be sure their apps are up to date if they were affected.

Also see: