Flaws Plague Leading Mobile Banking Apps

Found on Threatpost on Saturday, 11 January 2014

An alarming percentage of mobile banking applications for iOS fail to implement basic protections that would safeguard against man-in-the-middle attacks, session hijacking, memory corruption, and credential theft.

Sanchez said 90 percent of the applications he looked at sent users to a number of links that were not encrypted with SSL, while close to half of the apps did not validate the SSL certificates presented, putting customers at risk to man-in-the-middle attacks where an attacker could inject malicious javascript or HTML code as part of a phishing scam, for example.

The management usually cares only about pretty looks, not about security. If you tell them you adjusted the layout by a few pixels to make it look nicer, you get praised. If you tell them that the project gets delayed by a month because the security models are not implemented correctly they think you're wasting time.

Browse all articles« Previous « » Next »