How Vulnerable Are Mobile Apps?Storage of Personal Data Calls for Stronger Protection
Late last week, security firm viaForensics announced it had discovered security vulnerabilities in mobile banking smart-phone apps for Google's Android and Apple's iPhone. Apps from Bank of America, Chase, TD Ameritrade, USAA, Wells Fargo and Vanguard were all targeted by the firm.
ViaForensics found that neither Google nor Apple has adequately prevented mobile apps from storing sensitive financial information. The firm noted that some apps do not validate security certification, making them susceptible to so-called man-in-the-middle attacks. Some apps also inadvertently saved passwords, because of the lack of encryption, and some saved data to the phone that had previously been viewed in the app itself.
It's no secret that the mobile channel is screaming for more authentication and data encryption, but mobile nuances have posed some challenges.
Researchers at S21sec, a global digita security firm that last month confirmed Zeus had successfully penetrated the mobile market, say that while the findings of viaForensics should not be ignored, the noted vulnerabilities should not be confused with an actual attack.
"The SMS Mitmo (man-in-the-mobile) attack that we discovered and you reported on was a real attack taking place in the wild," says Daniel Brett, head of business development for S21sec. "It played upon vulnerabilities inherent in the Symbian OS that don't seem to have been patched." And the fact that any user can download an unsigned mobile app without passing through what Brett calls an "app market" opens the door for Mitmo.
The security gaps found by viaForensics are different. "It is the discovery of some security 'flaws' within certain banking applications," Brett says. "This falls into the domain of 'vulnerabilities' or, even in some cases, 'bad practices.'"
Storing usernames in plaintext within a smart phone's memory is a bad practice in the same way that stored credit card information is a bad practice at the retail level.
The mobile channel is like any other emerging channel - we're going to discover gaps and vulnerabilities as we move along. It's no secret that the mobile channel is screaming for more authentication and data encryption, but mobile nuances have posed some challenges. As Jason Rouse, a mobile security expert and principal consultant of the mobile and wireless practice for Cigital, rightly pointed out during last month's Mobile Financial Services Forum (#MobileForum on Twitter), fluid mobile browsing habits are part of the problem.
"It's an unfortunate side-effect of the way that a lot of wireless networks are structured," Rouse says. "As a consequence of the way that the networks are structured, technically, we normally have IP changes in the range of hours to days for every mobile client."
That's a challenge the industry is going to have to explore, and it's one that financial institutions active in the mobile banking arena should take into consideration. But users also bear some responsibility here. Granted, the industry has an obligation to educate consumers about risks. But if mobile users are downloading unapproved apps from sites that are not recommended by their financial institutions, how much responsibility should banks or credit unions really take on? Well, that question remains to be answered.