(In)Security of Mobile Banking

Presented at 31C3 (2014), Dec. 27, 2014, 9:45 p.m. (60 minutes).

This talk presents a deep analysis of banking mobile apps available in the world. Based on static and dynamic analysis as well as on the analysis of the final source code we show that a vast majority of them are not respecting users' privacy and users' data protection. Worse a few of them contains critical bugs Mobile banking is about to become the de facto standard for banking activities. Banking apps – on smartphones and tablets - are widespreading more and more and this evolution aims at strongly limiting the classical access to bank (physical, through PC browser, through ATM…). The aim is first to cut the cost but also to make the personal data explode. Then three critical issues arise. Since we entrust those mobile applications by feeding them with passwords, private information, and access to one of the most critical part of our like (money): • Do those applications protect our private life and especially which kind of information is leaking to the bank? • Are they containing vulnerabilities that could be exploited by attackers? In this talk, we are going to present a deep analysis of many banking apps collected in the world. We have performed static and dynamic analysis based on the binaries AND the source code. We will show that almost all apps are endangering our private data (sometimes severely) but in a few cases the presence of vulnerabilities are extremely concerning. While we tried to contact all the relevant banks for a free, detailed technical feedback and to help them fixing their apps, we will explain that a few of them did not care about this feedback and therefore did not want to take any security measure. This talk contains demos and operational results on existing apps.

Presenters:

  • Paul Irolla
    Researcher in Android security field. Currently working on the conception of tools to : - Detect Android malware. - Detect vulnerabilities & personal information leaks in regular Android apps.
  • ericfiliol
    Eric Filiol is the head of the Operational Cryptology and Virology at ESIEA a French Engineer School in Computer Science, Electronics and Control Science. He has spent 21 years in the French Army (French Marines Corps) mainly as a ICT security expert (cryptanalysis, computer virology, cyberwarfare).

Links:

Similar Presentations: