A new report from a well-regarded payments consulting firm has found a lengthy list of security insanity while examining several major fintech company mobile apps. Although the very nature of apps that manage and move money would suggest presumably strong security, banks and their cohorts tend to adopt new technology slower than almost any other vertical, which puts them in a bad place when it comes to security.
My favorite finding from the Aite Group report: "Several mobile banking apps hard-coded private certificates and API keys into their apps. [Thieves] could exploit this by copying the private certificates to their computers and running any number of free password-cracking programs against them," the report noted. "Should the [attackers] successfully crack the private key, they would be able to decrypt all communication between the back-end servers and mobile devices, among other things. The API keys allow an adversary to then begin targeting the [financial institution’s] API servers, gaining them access to data in the back-end databases. This allows [attackers] to authenticate the device with the back-end servers of that app, since this is what APIs use for authentication and authorization."
In other words, these banks have made the attackers' jobs far easier. "One of the directories was actually called 'API Keys,'" said Alissa Knight, the senior analyst with Aite Group's cybersecurity practice who did the research for the report. "My coffee didn't even get cold while I was on that list" trying to find vulnerabilities.
Some other especially scary points made in the Aite report:
- "Many of the apps contained hard-coded SQL statements that gave adversaries the ability to employ SQL injection attacks, such as modifying an existing SQL query or inserting a new SQL query in a man-in-the-middle attack that allows them to download all of the data in the database, delete data, or modify it."
- "Ninety-seven percent of the apps tested suffered from a lack of binary protection, making it possible to decompile the apps and review the source code. Additionally, all of the FI apps tested failed to implement application security that would have obfuscated the source code of the apps, making it possible to decompile them. This provided all of the sensitive API URLs, API keys, and API secrets hard-coded into the apps, and some of the URLs included nonstandard port numbers and development servers used by developers for testing and QA, which were reachable at the time of the testing. By decompiling the binaries, it was also possible to discover several private keys hard-coded into their files and located in subdirectories of the app, making it possible to crack the private key passwords offline."
- "Additional findings included the ability to execute client-side code in an app’s WebView; raw SQL queries embedded in the source code, yielding database schema information and the ability to perform SQL injection; the creation and storage of sensitive data into temp files on the mobile device or clipboard memory; and hard-coded public and private keys. Decompiling the binary into its raw source code gives adversaries the ability to inject malware and repackage the app as a rogue/pirated app hosted in a third-party app market, such as TweakBox, Aptoide, and TutuApp, or send it to victims via smishing (SMS phishing). Decompiling the app also allows an adversary to understand how the app detects jailbroken mobile devices, which, once vulnerabilities (such as API keys, private keys, and credentials) are found in the source code, results in theft of money through banking trojans, username/password theft or account takeover using overlay screens, and the theft of confidential data."
- "About 80 percent of the apps tested implemented weak encryption algorithms or the incorrect implementation of a strong cipher, allowing adversaries to decrypt sensitive data and manipulate or steal it as needed."
- "About 70 percent of the apps use an insecure random-number generator, a security measure that relies on random values to restrict access to a sensitive resource, making the values easily guessed and hackable."
In terms of the mobile apps she examined, Knight said many procedures were simply sloppy. Cyberthieves love sloppy. "Everything in the app was being logged and it had some very verbose logging. A gratuitous amount," Knight said in a Computerworld interview. "A lot wasn't being done in sandboxes and was stored directly on the mobile device."
Aaron Lint is the chief scientist and research vice president for Arxan, which underwrote the Aite research. "It’s no secret that the finance industry is a hot target because the payload is cold, hard cash," Lint said. "Virtually none of the apps tested in this research had app security measures in place that could even detect an app was being reverse-engineered, let alone actively defend against any malicious activity originating from code level tampering."
Lint referred to the API leakage as "a blueprint of how to deal with the app."
The Security Usability Challenge
Making the API keys so easy to find is certainly a courtesy that will be much appreciated in the dark web, although likely less so by the financial institution's customers. That said, those customers will be unable to do anything about this — such as switching banks — because Aite declined to identify which companies they looked at.
They did email Computerworld some descriptions of the companies profiled — there were 30 companies examined in eight categories: retail banking apps (four companies examined); credit card issuers (3); mobile payment apps (3); healthcare savings accounts apps (3); retail brokerage accounts (5); health insurers (4); auto insurance (4); and crypto-currency companies (4). Aite also released how many were publicly-traded (most were) and gave a hint about company-size by saying how many employees each company had (that number ranged from 250,000 employees for one of the retail banking app companies to 50 employees for one of the crypto-currency companies.
Even more troubling, Aite said, it chose to not tell any of the companies examined that it found major security holes on their sites. This is regrettable, but understandable. It's a fear — ranging from litigation to being blackballed in the industry — that pen testers have these days about examining sites or apps without the company's permission. Given that Aite has to work with these companies, it makes sense that it wouldn't want to flag these companies that they have issues.
In a Utopian world, companies would be ecstatic to be informed about issues on their site/app before cyberthieves found them, but that's not how the world works, especially in the U.S. Hint to FI companies: Hire a pen tester today to check out your site and apps. Some of you have massive issues.