personal banking apps leak info through phone by ariel sanchez

8/13/2019 Personal banking apps leak info through phone by Ariel Sanchez

1/7

ive Labs Research: Personal banking apps leak info through phone

/blog.ioactive.com/2014/01/personal-banking-apps-leak-info-through.html[1/29/2014 8:59:14 AM]

Wednesday, January 8, 2014

Personal banking apps leak info through phone

By Ar ie l San ch ez

For several years I have been reading about flaws in home banking apps, but I was skeptical.

To be honest, when I started this research I was not expecting to find any significant results.

The goal was to perform a black box and static analysis of worldwide mobile home banking

apps. The research used iPhone/iPad devices to test a total of 40 home banking apps from the

top 60 most influential banks in the world.

In order to obtain a global view of the state of security, some of the more important banks

from the following countries were included in the research:

Relevant Points

The research was performed in 40 hours (non-consecutive).

This research does not show the vulnerabilities found and how to exploit them in order

to protect the owner of the app and their customers.

All tests were only performed on the application (client side); the research excluded

any server-side testing.

Some of the affected banks were contacted and the vulnerabilities reported.

Tests

The following tests were performed for each application:

2014(3)

January(3)

Scientifically ProtectingData

The password is irrelevant

Personal banking appsleak info through phone

2013(50)

2012(35)

2011(5)

IOActive.com

Blog Archive
http://void%280%29/http://blog.ioactive.com/search?updated-min=2014-01-01T00:00:00-08:00&updated-max=2015-01-01T00:00:00-08:00&max-results=3http://blog.ioactive.com/search?updated-min=2014-01-01T00:00:00-08:00&updated-max=2015-01-01T00:00:00-08:00&max-results=3http://void%280%29/http://blog.ioactive.com/2014_01_01_archive.htmlhttp://blog.ioactive.com/2014/01/scientifically-protecting-data.htmlhttp://blog.ioactive.com/2014/01/scientifically-protecting-data.htmlhttp://blog.ioactive.com/2014/01/the-password-is-irrelevant.htmlhttp://void%280%29/http://blog.ioactive.com/search?updated-min=2013-01-01T00:00:00-08:00&updated-max=2014-01-01T00:00:00-08:00&max-results=50http://blog.ioactive.com/search?updated-min=2013-01-01T00:00:00-08:00&updated-max=2014-01-01T00:00:00-08:00&max-results=50http://void%280%29/http://blog.ioactive.com/search?updated-min=2012-01-01T00:00:00-08:00&updated-max=2013-01-01T00:00:00-08:00&max-results=35http://blog.ioactive.com/search?updated-min=2012-01-01T00:00:00-08:00&updated-max=2013-01-01T00:00:00-08:00&max-results=35http://void%280%29/http://blog.ioactive.com/search?updated-min=2011-01-01T00:00:00-08:00&updated-max=2012-01-01T00:00:00-08:00&max-results=5http://blog.ioactive.com/search?updated-min=2011-01-01T00:00:00-08:00&updated-max=2012-01-01T00:00:00-08:00&max-results=5http://www.ioactive.com/http://www.ioactive.com/http://blog.ioactive.com/search?updated-min=2011-01-01T00:00:00-08:00&updated-max=2012-01-01T00:00:00-08:00&max-results=5http://void%280%29/http://blog.ioactive.com/search?updated-min=2012-01-01T00:00:00-08:00&updated-max=2013-01-01T00:00:00-08:00&max-results=35http://void%280%29/http://blog.ioactive.com/search?updated-min=2013-01-01T00:00:00-08:00&updated-max=2014-01-01T00:00:00-08:00&max-results=50http://void%280%29/http://blog.ioactive.com/2014/01/the-password-is-irrelevant.htmlhttp://blog.ioactive.com/2014/01/scientifically-protecting-data.htmlhttp://blog.ioactive.com/2014/01/scientifically-protecting-data.htmlhttp://blog.ioactive.com/2014_01_01_archive.htmlhttp://void%280%29/http://void%280%29/http://blog.ioactive.com/search?updated-min=2014-01-01T00:00:00-08:00&updated-max=2015-01-01T00:00:00-08:00&max-results=3http://void%280%29/http://void%280%29/http://1.bp.blogspot.com/-TsnS7Xp2yqY/UsqgXHGfbQI/AAAAAAAAAeE/ynv7yq11OXQ/s1600/1-world_map.pnghttp://blog.ioactive.com/


2/7



1. Transport Security

1. Plaintext Traffic

2. Improper session handling

3. Properly validate SSL certificates

2. Compiler Protection

1. Anti-jailbreak protection

2. Compiled with PIE

3. Compiled with stack cookies

4. Automatic Reference Counting

3. UIWebViews

1. Data validation (input, output)

2. Analyze UIWebView implementations

4. Insecure data storage

1. SQLlite database

2. File caching

3. Check property list files

4. Check log files

5. Logging

1. Custom logs

2. NSLog statements

3. Crash reports files

6. Binary analysis

1. Disassemble the application

2. Detect obfuscation of the assembly code protections

3. Detect anti-tampering protections

4. Detect anti-debugging protections

5. Protocol handlers

6. Client-side injection

7. Third-party libraries

Summary

All of the applications could be installed on a jailbroken iOS device. This helped speed up the

static and black box analysis.

Black Box Analysis Results
http://1.bp.blogspot.com/-Yzboes-6CKo/Usqg0fjYNkI/AAAAAAAAAeU/L-fE5Nkb6Hs/s1600/summary.jpg


3/7



The following tools were used for the black box analysis:

otool (object file displaying tool)[1]

Burp pro (proxy tool)[2]

ssh (Secure Shell)

40% of the audited apps did not validate the authenticity of SSL certificates presented. This

makes them susceptible to Man in The Middle (MiTM) attacks.[3]

A few apps (less than 20%) did not have Position Independent Executable (PIE) and Stack

Smashing Protection enabled. This could help to mitigate the risk of memory corruption attacks.

>#otool hv MobileBank

MobileBank:

Mach header

magic cputype cpusubtype caps filetype ncmds sizeofcmds flags

MH_MAGIC ARM V6 0x00 EXECUTE 24 3288 NOUNDEFS DYLDLINK

PREBOUND TWOLEVEL

Many of the apps (90%) contained several non-SSL links throughout the application. This allows

an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to

create a fake login prompt or similar scam.

Moreover, it was found that 50% of the apps are vulnerable to JavaScript injections via

insecure UIWebView implementations. In some cases, the native iOS functionality was exposed,

allowing actions such as sending SMS or emails from the victims device.

A new generation of phishing attacks has become very popular in which the victim is prompted

to retype his username and password because the online banking password has expired. The

attacker steals the victims credentials and gains full access to the customers account.

The following example shows a vulnerable UIWebView implementation from one of the home

baking apps. It allows a false HTML form to be injected which an attacker can use to trick the

user into entering their username and password and then send their credentials to a malicious

site.
http://2.bp.blogspot.com/-gkDkSN9iHN4/UsqgXXOtgJI/AAAAAAAAAd8/0oqVsJF6D90/s1600/2-XSS.png


4/7



Another concern brought to my attention while doing the research was that 70% of the apps

did not have any alternative authentication solutions, such as multi-factor authentication, which

could help to mitigate the risk of impersonation attacks.

Most of the logs files generated by the apps, such as crash reports, exposed sensitive

information. This information could be leaked and help attackers to find and develop 0dayexploits with the intention of targeting users of the application.

Most of the apps disclosed sensitive information through the Apple system log. The following

example was extracted from the Console system using an iPhone Configuration Utility (IPCU)

tool. The application dumps user credentials of the authentication process.

CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.

Jun 22 16:20:37 Test Bankapp[2390] :


5/7



xmlns:c="http://schemas.xmlsoap.org/soap/encoding/"

xmlns:v="http://schemas.xmlsoap.org/soap/envelope/">

USER-ID

XRS

PASSWORD

xxxxxxxx

Jun 22 16:20:37 Test Bankapp[2390] : ]]]]]]]]]]]]] wxxx.xxxxx.com

Jun 22 16:20:42 Test Bankapp[2390] : RETURNED:

Jun 22 16:20:42 Test Bankapp [2390] : CoreAnimation: warning, deleted thread

with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log

backtraces.

Static Analysis Results

The following tools were used for the static analysis and decryption:

IDA PRO (disassembler tool) [4]

Clutch (cracking utility) [5]

objc-helper-plugin-ida [6]

ssh (Secure Shell)

gdb (debugger tool)

IPCU [7]

The binary code of each app was decrypting using Clutch. A combination of decrypted code and

code disassembled with IDA PRO was used to analyze the application.

Hardcoded development credentials were found in the code.

__text:00056350 ADD R0, PC ; selRef_sMobileBankingURLDBTestEnv__

__text:00056352 MOVT.W R2, #0x46

__text:00056356 ADD R2, PC ;

" h t t p s:/ / m o b _ u se r :T3 st e p w d @d b .in t e r n a l/ in t er n a l/ d b / st a r t .d o ?l o g in = m o b ile Ev n "

__text:00056358 LDR R1, [R0] ; "setMobileBankingURLDBTestEnv_iPad_mobil"...

__text:0005635A MOV R0, R4

__text:0005635C BLX _objc_msgSend

__text:00056360 MOV R0,

(selRef_setMobileBankingURLDBTestEnvWithValue_iPad_mobileT_ - 0x56370) ;

selRef_setMobileBankingURLDBTestEnvWithValue_iPad_mobileT_

__text:00056368 MOVW R2, #0xFA8A

__text:0005636C ADD R0, PC ;

selRef_setMobileBankingURLDBTestEnvWithValue_i_mobileT_

__text:0005636E MOVT.W R2, #0x46

__text:00056372 ADD R2, PC ;

" h t t p s:/ / m o b _ u se r :T3 st e p w d @d b .in t e r n a l/ in t er n a l/ d b / st a r t .d o ?

lo g in = m o b il eE v n & b r a n ch = % @& ac co u n t = % @& su b a cc o u n t = % @"

__text:00056374 LDR R1, [R0] ; "setMobileBankingURLDBTestEnvWith_i"...

__text:00056376 MOV R0, R4

__text:00056378 BLX _objc_msgSend

By using hardcoded credentials, an attacker could gain access to the development infrastructure

of the bank and infest the application with malware causing a massive infection for all of the

applications users.

Internal functionality exposed via plaintext connections (HTTP) could allow an attacker with

access to the network traffic to intercept or tamper with data.

__text:0000C980 ADD R2, PC ; " h t t p : / / % @/ n ew s / ? v e r s i o n = % u "


6/7



__text:0000C982 MOVT.W R3, #9

__text:0000C986 LDR R1, [R1] ; "stringWithFormat:"

__text:0000C988 ADD R3, PC ; "Mecreditbank.com"

__text:0000C98A STMEA.W SP, {R0,R5}

__text:0000C98E MOV R0, R4

__text:0000C990 BLX _objc_msgSend

__text:0000C994 MOV R2, R0

...

__text:0001AA70 LDR R4, [R2] ; _OBJC_CLASS_$_NSString

__text:0001AA72 BLX _objc_msgSend

__text:0001AA76 MOV R1, (selRef_stringWithFormat_ - 0x1AA8A) ;

selRef_stringWithFormat_

__text:0001AA7E MOV R2, (cfstr_HttpAtmsOpList - 0x1AA8C) ; "http://%@/atms/?

locale=%@&version=%u"

__text:0001AA86 ADD R1, PC; selRef_stringWithFormat_

__text:0001AA88 ADD R2, PC; " h t t p : / / % @/ a t m s/ v e r s i o n = % u "

__text:0001AA8A

__text:0001AA8A loc_1AA8A ; CODE XREF: -[BranchesViewController

processingVersion:]+146j

__text:0001AA8A MOVW R3, #0x218C

__text:0001AA8E LDR R1, [R1]

__text:0001AA90 MOVT.W R3, #8

__text:0001AA94 STMEA.W SP, {R0,R5}

__text:0001AA98 ADD R3, PC ; "Mecreditbank.com"

__text:0001AA9A MOV R0, R4

__text:0001AA9C BLX _objc_msgSend

Moreover, 20% of the apps sent activation codes for accounts though plainttext communication

(HTTP). Even if this functionality is limited to initial account setup, the associated risk high. If

an attacker intercepts the traffic he could hijack a session and steal the victims account without

any notification or evidence to detect the attack.

After taking a close look at the file system of each app, some of them used an unencrypted

Sqlite database and stored sensitive information, such as details of customers banking account

and transaction history. An attacker could use an exploit to access this data remotely, or if they

have physical access to the device, could install jailbreak software in order to steal to the

information from the file system of the victims device.

The following example shows an Sqlite database structure taken from the file system of an app

where bank account details were stored without encryption.

Other minor information leaks were found, including:

Internal IP addresses:

__data:0008B590 _TakeMeToLocationURL DCD cfstr_Http10_1_4_133

__data:0008B590 ; DATA XREF: -[NavigationView

viewDidLoad]+80o

__data:0008B590 ; __nl_symbol_ptr:_TakeMeToLocationURL_ptro

__data:0008B590 ;

" h t t p :/ / 1 0 0 .1 0 .1 .1 3 :8 0 8 0 / W e b Tes t Pr oj ec t / P in g Tes t .j sp "
http://2.bp.blogspot.com/-abM2TmgzM1w/UsqgYJNPDuI/AAAAAAAAAeM/AZkeY2V5Res/s1600/5-sqlite.png


7/7


Posted by Cesar at 7:00 AM

Labels:Ariel Sanchez,e-banking, hacking, homebanking, iOS,mobile apps,mobile banking security, mobile

hacking,mobile security, Objective-C,security

Internal file system paths:

__cstring:000CC724 aUsersXXXXPro DCB

" / U se r s/ Sc o t t / p r o j ec t s/ H M _ ip h o n e/ sr c/ H BM o n t h Vi ew . m ",0

Even though disclosing this information on its own doesn't have a significant impact, an attacker

who collected a good number of these leaks could gain an understanding of the internal layout

of the application and server-side infrastructure. This could enable an attacker to launch specific

attacks targeting both the client- and server-side of the application.

Conclusions

From a defensive perspective, the following recommendations could mitigate the most common

flaws:

Ensure that all connections are performed using secure transfer protocols

Enforce SSL certificate checks by the client application

Protect sensitive data stored on the client-side by encrypting it using the iOS

data protection API

Improve additional checks to detect jailbroken devices

Obfuscate the assembly code and use anti-debugging tricks to slow the

progress of attackers when they try to reverse engineer the binary

Remove all debugging statements and symbols

Remove all development information from the production application

Home banking apps that have been adapted for mobile devices, such as smart phones and

tablets, have created a significant security challenge for worldwide financial firms.

As this research shows, financial industries should increase the security standards they use for

their mobile home banking solutions.

References:

[1]http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/o

tool.1.html

[2] http://portswigger.net/burp/editions.html[3] https://www.owasp.org/index.php/Man-in-the-middle_attack

[4] https://www.hex-rays.com/products/ida/

[5] https://www.appaddict.org/forum/index.php?/topic/40-how-to-crack-ios-apps/

[6] https://github.com/zynamics/objc-helper-plugin-ida

[7] http://support.apple.com/downloads/#iphone%20configuration%20utility

Comment as:

No comments:

Post a Comment
http://blog.ioactive.com/search/label/Ariel%20Sanchezhttp://blog.ioactive.com/search/label/Ariel%20Sanchezhttp://blog.ioactive.com/search/label/e-bankinghttp://blog.ioactive.com/search/label/hackinghttp://blog.ioactive.com/search/label/homebankinghttp://blog.ioactive.com/search/label/iOShttp://blog.ioactive.com/search/label/iOShttp://blog.ioactive.com/search/label/mobile%20appshttp://blog.ioactive.com/search/label/mobile%20appshttp://blog.ioactive.com/search/label/mobile%20banking%20securityhttp://blog.ioactive.com/search/label/mobile%20hackinghttp://blog.ioactive.com/search/label/mobile%20hackinghttp://blog.ioactive.com/search/label/mobile%20hackinghttp://blog.ioactive.com/search/label/mobile%20securityhttp://blog.ioactive.com/search/label/Objective-Chttp://blog.ioactive.com/search/label/Objective-Chttp://blog.ioactive.com/search/label/securityhttp://developer.apple.com/library/mac/%22%20%5Cl%20%22documentation/Darwin/Reference/ManPages/man1/otool.1.htmlhttp://developer.apple.com/library/mac/%22%20%5Cl%20%22documentation/Darwin/Reference/ManPages/man1/otool.1.htmlhttp://portswigger.net/burp/editions.htmlhttps://www.owasp.org/index.php/Man-in-the-middle_attackhttps://www.hex-rays.com/products/ida/https://www.appaddict.org/forum/index.php?/topic/40-how-to-crack-ios-apps/https://github.com/zynamics/objc-helper-plugin-idahttp://support.apple.com/downloads/#iphone%20configuration%20utilityhttps://www.blogger.com/comment-iframe.g?blogID=3399186854038118117&postID=8467158731832276661&blogspotRpcToken=5143665http://www.blogger.com/share-post.g?blogID=3399186854038118117&postID=8467158731832276661&target=facebookhttp://www.blogger.com/share-post.g?blogID=3399186854038118117&postID=8467158731832276661&target=twitterhttp://www.blogger.com/share-post.g?blogID=3399186854038118117&postID=8467158731832276661&target=bloghttp://www.blogger.com/share-post.g?blogID=3399186854038118117&postID=8467158731832276661&target=emailhttp://www.blogger.com/email-post.g?blogID=3399186854038118117&postID=8467158731832276661http://support.apple.com/downloads/#iphone%20configuration%20utilityhttps://github.com/zynamics/objc-helper-plugin-idahttps://www.appaddict.org/forum/index.php?/topic/40-how-to-crack-ios-apps/https://www.hex-rays.com/products/ida/https://www.owasp.org/index.php/Man-in-the-middle_attackhttp://portswigger.net/burp/editions.htmlhttp://developer.apple.com/library/mac/%22%20%5Cl%20%22documentation/Darwin/Reference/ManPages/man1/otool.1.htmlhttp://developer.apple.com/library/mac/%22%20%5Cl%20%22documentation/Darwin/Reference/ManPages/man1/otool.1.htmlhttp://blog.ioactive.com/search/label/securityhttp://blog.ioactive.com/search/label/Objective-Chttp://blog.ioactive.com/search/label/mobile%20securityhttp://blog.ioactive.com/search/label/mobile%20hackinghttp://blog.ioactive.com/search/label/mobile%20hackinghttp://blog.ioactive.com/search/label/mobile%20banking%20securityhttp://blog.ioactive.com/search/label/mobile%20appshttp://blog.ioactive.com/search/label/iOShttp://blog.ioactive.com/search/label/homebankinghttp://blog.ioactive.com/search/label/hackinghttp://blog.ioactive.com/search/label/e-bankinghttp://blog.ioactive.com/search/label/Ariel%20Sanchezhttp://www.blogger.com/email-post.g?blogID=3399186854038118117&postID=8467158731832276661

personal banking apps leak info through phone by ariel sanchez

Documents