Banking mobile apps largely vulnerable, reveals IOActive study

Personal banking apps make managing a checking or savings account easy, eschewing the need for a laptop or firing up a browser. Whether they keep your personal data secure is another matter, however, one that IOActive Labs Research says needs more attention. In a recent study, the research group looked into forty different so-called home banking apps from what it says are the world's top 60 most influential banks, none of which were specified by name.

The study's particulars include 40 non-consecutive hours of research, and to protect the innocent from the damage that could result, no exploits or vulnerabilities were detailed in regards to any of the apps analyzed. There wasn't any server-side research involved, with the team focusing only on the client-end app itself. And, as with all white knight efforts, it isn't surprising to hear that IOActive contacted some of the banks and clued them in on the vulnerabilities discovered.

Every application was put through half a dozen tests, among them being things like data storage vulnerabilities, binary analysis, transport security, and compiler projection. The apps were all installed on an unspecified jailbroken iOS device, and ultimately were revealed to be largely vulnerable to some type of security issue, some more so than others.

Of the apps, 90-percent of them had "several" non-SSL links in various locations, which makes the apps vulnerable to having some traffic nabbed, as well as fake login prompts and other issues. Breaking it down further, 50-percent are vulnerable to JavaScript injections, and 40-percent do not check the validity of SSL certificates, opening the door to man in the middle attacks.

SOURCE: IOActive Research