Jump to content

Most iPhone banking apps vulnerable to hacking


Recommended Posts

http://cdn.mos.techradar.com/art/mobile_phones/iPhone/iPhone%205S/Hands%20on/HandsOn3/iPhones5S-HandsOn-07-470-75.JPG

A report from security assessment firm IOActive suggests that most mobile banking apps for iPhone and iPad are full of flaws.

IOActive researcher Ariel Sanchez recently studied the security features of 40 mobile banking apps for iOS, including the apps used by some of the world's leading financial institutions.

All of the apps that Sanchez tested could be installed and run on jailbroken devices, which have been modified by the user to accept apps unauthorized by Apple. Running an app on a jailbroken device lets attackers circumvent the security features built into iOS and access the restricted resources of other apps on a user's device.

In an IOActive blog post outlining his research, Sanchez noted that 40 per cent of the apps tested had compromised transport mechanisms and 90 per cent had non-SSL links. This leaves app users susceptible to 'man-in-the-middle' attacks. In such attacks, users may be redirected to malicious sites where their login information can be stolen.

Attacks at the coffee shop?

These attacks are more likely to happen on untrusted networks like WiFi hotspots, which makes mobile banking from public locations like coffee shops less of a convenience and more of a nightmare waiting to happen.

In his blog post, Sanchez notes that phishing attacks that utilize cross-site scripting have become very popular lately, often resulting in the theft of a victim's login credentials. In a typical attack, the user might be asked to re-enter his or her username and password "because the online banking session has expired." Such an attack can give cybercriminals full access to a customer's bank accounts.

Sanchez offered some recommendations for developers of mobile banking apps to consider in the future. These include tightening the security of transfer protocols for all connections made, enforcing SSL certificate checks by the client application, encrypting data using iOS's own data protection and removing all development code from the released application.

http://rss.feedsportal.com/c/669/f/415085/s/35e4a636/sc/15/mf.gif


http://da.feedsportal.com/r/186528841484/u/49/f/415085/c/669/s/35e4a636/sc/15/rc/1/rc.img
http://da.feedsportal.com/r/186528841484/u/49/f/415085/c/669/s/35e4a636/sc/15/rc/2/rc.img
http://da.feedsportal.com/r/186528841484/u/49/f/415085/c/669/s/35e4a636/sc/15/rc/3/rc.img

http://da.feedsportal.com/r/186528841484/u/49/f/415085/c/669/s/35e4a636/a2.imghttp://pi.feedsportal.com/r/186528841484/u/49/f/415085/c/669/s/35e4a636/a2t.imghttp://feeds.feedburner.com/~r/techradar/software-news/~4/YCwEOk0jcQU
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...