Thursday, November 18, 2010

Beware The Bank Apps On Your Phone or iPad

Online banking is one of the more popular tasks people get done on their phone. Apps tailored to your device can make the process easier, but it seems some of the banks have made some boneheaded decisions in their programming design that opens up a number of security risks.

The Wall Street Journal lists Bank of America, Wells Fargo and USAA applications that are due fixes. Security company viaForensics ran a number of banking applications through their testing process. Every bank they tested failed except for The Vanguard Group. All of the applications tested were either written for Apple's iOS or Google's Android platforms.

Wells Fargo's mobile banking app, for example, is guilty of storing both the username and password on the device in plain text. It also saved account information and balances on the device in an unsecured manner. They updated their application in the middle of last week, so if use that on Android, be sure to get an updated version as soon as possible.

The data stored in plain text is at risk from at least two attack vectors. First, and perhaps the easiest, is to just steal the phone. With the username and password, a thief could just log in to your account and transfer out whatever they wanted to. You could also be targeted via email in an attempt to get you to visit a particular web page. That page could run code that grabbed the info off of your device since it would know exactly where it was stored.



Wells Fargo wasn't the only bank storing data in plain text. Bank of America's Android app is saving the answers to security questions in plain text on the device, but if you use their iPhone app, you should be ok. Other banks had similar issues, which largely seem to boil down to either poor design or just shortcuts taken to reduce costs or get the app out early.

It makes me wonder why they bothered with writing apps at all. Yeah, with an app targeted at a platform, you can dress up the user interface to make it more appealing and perhaps more functional, but if you focused on a well written mobile web site, you let the browser and web server do all of the heavy lifting when it comes to security. You will generally use fewer resources too as web pages are easier to develop than apps are, especially if you are targeting multiple platforms. Besides, people generally prefer web pages over apps for many tasks.

If you are using a mobile banking app, do a bit of research to see if viaForensics analyzed it. If they did, chances are you need an update. If they didn't, you might question whether or not you want to take the chance your bank did any better than those that were tested.

InformationWeek

No comments:

Post a Comment