We’re sure there are many of you guys out there who use banking apps on their smartphones or tablets. After all this is a great way to check/manage your finances on the go, as well as paying back friends for a meal in the event that you did not bring cash with you that day. Safe to say it offers a host of inconveniences. However for the most part, these apps aren’t developed by the banks themselves, but outsourced to third party developers, which is often a cheaper and more efficient option. However since these banks to do not actually develop these apps themselves, it also means there might be security flaws in them that the bank might not be aware of, which is what security researchers at IO Active are warning smartphone users about.
According to the company, they have tested 40 iOS-based banking apps from banks around the world, and based on their findings, it was found that 40% of the bank apps tested are vulnerable to man in the middle attacks simply because they do not validate the authenticity of SSL certificates. It was also found that 20% lacked “Position Independent Executable and Stack Smashing Protection enabled”, which for those unfamiliar basically means it prevents the apps from being attacked by memory corruption tactics. More disturbingly it was found that 40% leave sensitive information in system logs, and 30% use hard-coded credentials of some kind. It should be noted that these vulnerabilities are on the client’s side, meaning that even if the bank’s side was secure, hackers could intercept client information simply due to these vulnerabilities.
IO Active claims that they have notified the different banks about the vulnerabilities they have discovered, so we guess it really is up to these banks as to whether they will do something about it and make the necessary changes.