According to the company, they have tested 40 iOS-based banking apps from banks around the world, and based on their findings, it was found that 40% of the bank apps tested are vulnerable to man in the middle attacks simply because they do not validate the authenticity of SSL certificates. It was also found that 20% lacked “Position Independent Executable and Stack Smashing Protection enabled”, which for those unfamiliar basically means it prevents the apps from being attacked by memory corruption tactics. More disturbingly it was found that 40% leave sensitive information in system logs, and 30% use hard-coded credentials of some kind. It should be noted that these vulnerabilities are on the client’s side, meaning that even if the bank’s side was secure, hackers could intercept client information simply due to these vulnerabilities.
IO Active claims that they have notified the different banks about the vulnerabilities they have discovered, so we guess it really is up to these banks as to whether they will do something about it and make the necessary changes.