How secure is your Mobile Banking Application?

A recent client side only test of mobile banking applications that run on the iOS platform uncovered several vulnerabilities

Vulnerabilities:

12.5% of the audited apps did not validate the authenticity of the SSL certificates presented, which makes them susceptible to Man-in-The-Middle (MiTM) attacks.
35% of the apps contained non-SSL links throughout the application. This allows an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompts or similar scams.
30% of the apps did not validate incoming data and were vulnerable to JavaScript injections via insecure UIWebView implementations allowing client-side attacks.
42.5% of the apps provided alternative authentication solutions to mitigate the risk of leaking user credentials and impersonal attacks.
Additionally the study also showed that 40% of the apps still leak information about user activity or client-server interactions, such as requests or responses from the server.

January 6, 2016 at 7:10 pm