Most banking applications exposed to threats

Smartphone owners are accustomed to trust your applications, especially if they relate to the banking sector. However, according to experts of the company IO Active, most banking applications are very insecure and in need of major improvement.

sslm

Security researchers tested forty applications for iOS that serve sixty banks worldwide. The test results were very disappointing.

40% of applications reviewed by experts, were vulnerable to attacks “man in the middle» (MITM). These apps do not check the authenticity of SSL-certificates provided by the server. In addition, 20% of the applications have disabled Stack Smashing Protection and no Position Independent Executable (PIE), helping to reduce the risk of memory destruction attacks.

Half of the studied applications are vulnerable to cross-site scripting attacks, and more than 40% of critical information is left in the system logs. However, the greatest concern is the fact that 90% of applications contain links that are not protected by SSL-protocol. According to the researchers, on iOS-device, which was done the jailbreak, you can install any, even an insecure application.

An expert from the IO Active Ariel Sanchez said that by adding to the application links without the SSL, hackers can intercept the traffic and execute arbitrary JavaScript / HTML code to create a fake invitation to enter user’s credent.

“Moreover, 50% of applications are vulnerable to injection attacks via unprotected execution JavaScript UIWebView. In some cases, the functionality of the native iOS will be compromise, enabling attackers to send SMS-messages or emails to the victim’s device “- said Sanchez.

Posted in Vulnerabilities Tagged with: , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

All about SSL

This site is dedicated to SSL-certificates. You will learn what is an SSL certificate, how to issue and reissue it. FAQ SSL will be useful for both novices and pros. SSL Knowledgebase contains sections on validation, trust logo, vulnerabilities, SSL-certificates differences by type (Wildcard, EV, DV, etc.), as well as many other things.