Man-in-the-middle flaw left smartphone banking apps vulnerable

Flaw in certificate pinning uncovered by researchers exposed customers of a number of high-profile banks to man-in-the-middle attacks on both iOS and Android devices

 

istock-mobile-banking.jpg

The vulnerability potentially put 10 million banking app users at risk from attacks.  Image: iStock

 

 

 

Vulnerability in the smartphone banking apps of major banks could have allowed attackers to steal user credentials including username, password and pin code, according to researchers.

The flaw was found in apps by HSBC, NatWest, Co-op and Bank of America Health, Santander, Allied Irish bank. The banks have all updated their apps to protect against this now.

Uncovered by researchers in the Security and Privacy Group at the University of Birmingham, the vulnerability allows an attacker who is on the same network as the victim to perform a man-in-the-middle attack and steal information.

The vulnerability lay in the certificate pinning technology, a security mechanism used to prevent impersonation attacks and use of fraudulent certificates by only accepting certificates signed by a single pinned CA root certificate.

While certificate pinning usually improves security, a tool developed by the researchers to perform semi-automated security-testing of mobile apps found that a flaw in the technology meant standard tests failed to detect attackers trying to take control of a victim’s online banking. As a result, certificate pinning can hide the lack of proper hostname verification, enabling man-in-the-middle attacks.

The findings have been outlined in a research paper and presented at the Annual Computer Security Applications Conference in Orlando, Florida. The tool was run on 400 security critical apps in total, leading to the discovery of the flaw.

In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed” said Dr Tom Chothia, lecturer at the university and one of the authors of the report.

In general the security of the apps we examined was very good, the vulnerabilities we found were hard to detect, and we could only find so many weaknesses due to the new tool we developed” said Dr Tom Chothia, lecturer at the university and one of the authors of the report.

“It’s impossible to tell if these vulnerabilities were exploited but if they were attackers could have got access to the banking app of anyone connected to a compromised network”, he added.

Tests found apps from some of the largest banks contained the flaw, which if exploited, could’ve enabled attackers to decrypt, view and even modify network traffic from users of the app, allowing them to view information entered and perform any operation that app can usually perform – such as payments or the transfer of funds.

Other attacks allowed hackers to perform in-app phishing attacks against Santander and Allied Irish bank users, allowing attackers to take over part of the screen while the app was running and steal the entered credentials.

While certificate pinning is often enough to ensure security, in this instance, its application actually hid flaws because penetration testing couldn’t work around the system.

“As this flaw is generally difficult to detect from normal analysis techniques, we have developed a detection tool that is semi-automated and easy to operate. This will help developers and penetration testers ensure their apps are secure against this attack,” said Chris McMahon-Stone, research student in the Security and Privacy Group at the University of Birmingham and co-author of the paper.

The researchers have worked with the National Cyber Security Centre and all the banks involved to fix the vulnerabilities, noting that the current version of all the apps affected by the pinning vulnerability are now secure.

A University of Birmingham spokesperson told ZDNet all the banks were highly cooperative: “once this was flagged to them they did work with the team to amend it swiftly.”