A researcher has discovered several security vulnerabilities in 40 personal banking apps from 60 of the world's biggest banks.

Testing only iOS devices, Ariel Sanchez from IOActive found that 90% of the apps contain non-SSL links, which means that a hacker could potentially intercept the traffic and inject random JavaScript/HTML code in order to create a fake login phishing attempt.

For example, a user could be lured to a fake login page and told that their online banking password had "expired", and asked to re-enter their username and password in order to access their account. The hacker could then use those details to take control of the user's online banking account.

While the names of the banks have not been revealed, a map on the researcher's blog reveals that the apps come from banks in the UK, eastern and western Europe, Singapore, Australia, India, the Middle East, Canada, the US and parts of South America.

Seize control of victim's device

Almost half of the apps tested do not validate the authenticity of SSL certificates being presented, which means that these apps can be susceptible to Man in the Middle (MITM) attacks, whereby network traffic is hijacked from its original destination and sent to another server.

An additional 50% of the apps tested by Sanchez were found to have insecure UIWebView implementations, making them vulnerable to JavaScript injections, which could even allow attackers to seize control of the user's device and send SMS text messages or emails from the device.

Also, at least 70% of the apps did not have any back-up authentication methods if the first method failed, such as multi-factor authentication. The researcher also found that the apps generated logs of crash reports containing sensitive information that could easily be stolen by hackers and used to develop zero-day attacks.

"Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms," said Sanchez in a blog about the vulnerabilities.

"As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions."

Potential "massive" malware infection

Sanchez disassembled the banking apps and made a startling discovery in the code in the apps.

In a worst-case scenario, he writes, "an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application's users."

Sanchez has contacted the banks affected by the vulnerabilities and has issued the following recommendations on what banks should do to better protect their mobile banking apps:

  • Ensure that all connections are performed using secure transfer protocols
  • Enforce SSL certificate checks by the client application
  • Protect sensitive data stored on the client-side by encrypting it using the iOS data protection API
  • Improve additional checks to detect jail-broken devices
  • Obfuscate the assembly code and use anti-debugging tricks to slow the progress of attackers when they try to reverse engineer the binary
  • Remove all debugging statements and symbols
  • Remove all development information from the production application