With my colleagues, I have been looking at the security of mobile applications for a few years, and in most cases, I have been amazed at the lack of security in these applications. Most mobile developers simply don’t seem to care.
Theyhave been studying banking and payment applications, from major banks and service like Wells Fargo and Paypal, and they found some flaws. Nothing big so far, as flaws are to be expected. The problem is that finding flaws was quite easy:
- One of the application stores the username and password in cleartext on the device. Twitter doesn’t want apps to do that, so one would think that banking apps are more careful than that.
- Another one of the appplications opens a SSL connection, but it doesn’t check the certificate, which makes it vulnerable to man-in-the-middle attacks, for instance on WiFi networks.
These flaws have been there forever, and we have identified them from the very beginning of mobile security evaluations. The SSL flaw is particularly common, and I am surprised to see it today, now that even browsers have a tendency to perform checks on certificates.
The only satisfying thing is that the reviewer hasn’t reported any backdoor into these programs. A few years ago, such back doors were very common, allowing developers to use their applications in “debug mode”.
If these backdoors have disappeared, we are moving in the right direction. But still, we are moving slowly.