False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps presented at IEEEEuroS&P 2019

by Konrad Rieck, Christian Wressnegger, Ansgar Kellner, Micha Horlboge,

Summary : More and more people rely on mobile devices for banking transactions or two-factor authentication (2FA), and thus trust in the security provided by the underlying operating system. Simultaneously, jailbreaks gain tremendous popularity among average users for customizing their devices. In this paper we show that both do not go well together: Jailbreaks remove vital security mechanisms, that are necessary the ensure a trusted environment that allows to protect sensitive data, such as login credentials and transaction numbers (TANs). We find that all but one banking apps available in the iOS App Store can be fully compromised by trivial means without reverse-engineering, manipulating the app, or other sophisticated attacks. Even worse, 44% of the banking apps do not even try to detect jailbreaks, revealing the prevalent, errant trust in the operating system’s security. This study assesses the current state of security of banking apps and pleads for more advanced defensive measures for protecting user data.