(IN)SECURITY OF MOBILE BANKING presented at BlackHatAsia 2015

by Eric Filiol, Paul Irolla,

Summary : Mobile banking is about to become the de facto standard for banking activities. Banking apps on smartphones and tablets - are becoming more widespread and this evolution aims at strongly limiting the classical access to banks (physical, through PC browser, through ATM). The aim is to first cut the cost but also to make the personal data explode. Then three critical issues arise because we entrust those mobile applications by feeding them with passwords, private information, and access to one of the most critical parts of our liking (money): Do those applications protect our private life and especially which kind of information is leaking to the bank? Are they containing vulnerabilities that could be exploited by attackers? In this talk, we are going to present a deep analysis of many banking apps collected in the world. We have performed static and dynamic analysis based on the binaries AND the source code. We will show that almost all apps are endangering our private data (sometimes severely) but in a few cases the presence of vulnerabilities are extremely concerning. While we tried to contact all the relevant banks for a free, detailed technical feedback and to help them fixing their apps, we will explain that a few of them did not care about this feedback and therefore did not want to take any security measure. This talk contains demos and operational results on existing apps and will bring a particular focus on banks from Asia and Australia (Pacific area).