Mobile security remains flaky on smartphone apps

With my colleagues, I have been looking at the security of mobile applications for a few years, and in most cases, I have been amazed at the lack of security in these applications. Most mobile developers simply don’t seem to care.

A security and forensics company has recently looked into mobile applications, and got some coverage.

Theyhave been studying banking and payment applications, from major banks and service like Wells Fargo and Paypal, and they found some flaws. Nothing big so far, as flaws are to be expected. The problem is that finding flaws was quite easy:

  • One of the application stores the username and password in cleartext on the device. Twitter doesn’t want apps to do that, so one would think that banking apps are more careful than that.
  • Another one of the appplications opens a SSL connection, but it doesn’t check the certificate, which makes it vulnerable to man-in-the-middle attacks, for instance on WiFi networks.

These flaws have been there forever, and we have identified them from the very beginning of mobile security evaluations. The SSL flaw is particularly common, and I am surprised to see it today, now that even browsers have a tendency to perform checks on certificates.

The only satisfying thing is that the reviewer hasn’t reported any backdoor into these programs. A few years ago, such back doors were very common, allowing developers to use their applications in “debug mode”.

If these backdoors have disappeared, we are moving in the right direction. But still, we are moving slowly.

2 Comments

  • Unfortunately, a lot of mobile applications have now a very short lifecycle. Some of them feel more close to marketing campaigns than to computing applications.

    In this context, it is no surprise they are insecure, don’t you think?

  • Most applications don’t need to be secure, because they just don’t have any assets to protect. It is quite likely that marketing apps belong to that category.

    In Android, applications are somehow isolated from each other, which limits the harm that such applications can do to sensitive ones.

    The applications that I am talking about in this entry are highly sensitive ones, related to payment, money transfers, and similar things. Such applications have assets to protect, and what researchers have proven is that they just don’t protect these assets.

Leave a Reply

Your email is never shared.Required fields are marked *