Is it possible to steal money from mobile banking? Part 1

For the second year in a row, we conduct an independent analysis of the security of mobile banking (MB) applications of Russian banks. During this time, a lot of observations, thoughts, ideas have been accumulated, which I would like to share. We will pay special attention to MBs, but general comments are also relevant for other applications that work with critical user information.

Our research

In 2013, we released the study “Security Analysis of Mobile Banking Applications 2012” . A little later, a similar work was published by a researcher from the company IOActive. You can read about his results in his blog post here . In 2014, we released the study “Mobile banking security: the possibility of a MitM attack” .
')

And who needs it?

Among some banking security specialists in Russia, it is widely believed that mobile banking has not yet earned such attention as, for example, the remote banking system (remote banking service). Their main argument is the fact that very few financial means are now passing through the mobile banking systems. And therefore, they say, MB hackers are not interested.

To us, this segment seems to be very attractive for consideration, and for several reasons. So, I would like to immediately draw the attention of readers to the fact that the Central Bank of the Russian Federation does not distinguish between the RBS and the MB. At present, the Bank of Russia is actively developing recommendations on the safe development cycle of automated banking systems. Unfortunately, it is not yet available in the public domain, but at the first opportunity you should familiarize yourself with it.

In addition, attackers no matter how many and what transactions are performed daily in mobile banking applications. Even if users just put money into their account to pay for the services of a telecom operator. It is important that an attacker, through vulnerabilities in the application, can access the account where the client’s money is stored. Let's not forget that one hacking of a key client of the bank is enough to have a significant impact on the activities of a financial organization.

Those who believe that you need to pay special attention to the RBS and do not spend time on the MB, you should know that these systems are interrelated. More than once we have been convinced of this in practice during penetration testing and auditing. We were able to detect vulnerabilities and supporting information in MB systems, which can later be used to attack RBS.

And, finally, it is simply foolish to deny world practice and say that mobile banking may not become popular in Russia. The number of mobile devices among users is only increasing, and mobile banking today is just convenient.

Mobile Banking Specific Issues

1) Organizational problems
Recently, we managed to quite a lot to communicate with both customers (banks) of a mobile bank and their performers (developers). It is always useful to look at the situation from different angles.
As for the customers, it has been possible to see several TK on the MB and it is difficult to find the description of the item about security. There most often there are very general wishes in which mobile specificity is not taken into account at all. This is understandable: the banks do not have individual mobile security experts with knowledge of iOS, Android or WindowsPhone platforms. And as you know, security mechanisms should be laid directly into the architecture, thinking about protection is necessary at all stages of development in order to save money in the future.
In conversations with developers you will learn a lot of interesting things, starting to understand where such stupid mistakes come from in such a critical application as MB. Often, when creating a product, the client part is written by one company, and the server part is written by another, or even completely, it was written by someone for quite some time. Establishing a good interaction process between them is not an easy task, and a number of errors appear here. Further, banks often cannot provide a good test environment for the development of the client part, which leads to the inventor of various “crutches” by the developer. And then it depends only on him - whether he will forget to remove them before the release of the release ... And again, the problem of the availability of information security specialists from developers does not lose relevance.

2) The problem of redundancy applications
It would seem: there is an application for MB, which should help you conveniently and safely work with personal accounts, money. From where suddenly in it the code which is responsible for work with various social services. networks, file services, note services, etc.?! For example, I, as a person who is paranoid of security, see this very strange ... Manufacturers explain it simply: this way they expect to sell such an application endowed with unique features.
Naturally, no one really thinks that as the functionality increases, the complexity of the application grows, and the probability of making a mistake becomes higher. Yes, and trite because of all these third-party services is growing attack surface.

3) The problem of data storage
Mobile devices are always with us and small in volume. They are easy to lose or just lose sight of for a while. At the same time, now mobile devices can say much more about us than their desktop "brothers". Therefore, the problem of data storage remains one of the most important.
When analyzing the security of an application for MB, we often see critical information in open form, which is either simply stored in the application, or unconsciously falls into the network requests cache, logs, crash dumps, screenshots. An attacker, when gaining physical access to a device, can download these critical files.

4) The problem of working in an untrusted environment
Often, users themselves put their devices at risk by getting root access on their Android device or installing a jailbreak on an iOS device. In this case, they often do not understand that when they receive various freebies and ryushechek, the built-in OS security mechanisms are partially or completely disabled. Thereby, the probability of a malicious code infecting a device increases and the probability of a successful attack increases. The advanced malware for mobile devices can now do it all by itself - the main thing is somehow getting to the mobile device.
After reviewing almost all MBs in the Russian market, one can say that only some of them (most precisely 2-3) check whether the mobile device is in a state — is there a jailbreak or root access. Further, they display a message and inform the user about it. Last year, one of these applications refused to work on a “discredited” device, but already this year, the software simply makes a certain limit on operations. And in most cases, applications for MB work as if nothing had happened.

5) The problem of multifactor authentication
In the classical RBS system, the second factor often comes in the form of SMS to the phone, and the user confirms the transaction. In the case of mobile banking, with this approach, both factors come / are entered on one device. If there is a virus on the device (which is especially important for the Android OS), then this malware will certainly intercept the secret information.
The following approaches of multifactor authentication are common in the mobile banking environment: SMS with OTP, one-time code tables, special mobile applications for generating OTP directly on the device, biometric authentication. Unfortunately, they all have one big common flaw: they come / are entered on the same device and are transmitted via the same data transfer channel, which can be controlled by an attacker when attacking MiTM or some kind of malware on the device. So for mobile applications it’s important, rather, not the presence of the second factor, but the existence of the second data transmission channel.

6) Application Distribution Problem
This issue applies only to mobile operating systems with many app stores. First of all, we are talking about the Android OS. For Android, there are a huge number of stores (Google Play, Samsung Apps, Yandex market, Amazon mobile app distribution, SlideMe, etc.). Some of them are immediately “flooded” into the device by default, and the user has no choice, especially with the usual one. As a result, in one store there can be a legitimate application, and in the other its modified version with malicious functionality.
Recently, requests to see what makes an application for MB in the store, which should not, in theory, have to do, have become more frequent. Also, there are simply unofficial applications for banks, which are “wrappers” over the Internet site. After reviewing a number of such applications, we have not yet found the malicious functionality, but this does not mean that with the next update it will not appear and your data will fly to a third-party server. It is necessary to use only official applications, and banks should monitor application stores for fakes.

7) The problem of protecting the code
It seems that such applications as MB should in every way try to make life difficult for lovers to dig deeper into their guts, but this is not quite so. Obfuscation of the code is found in Android applications, albeit infrequently. In iOS, it is completely absent. So for analyzing this problem it is useful to compare these systems. The situation is similar with anti-debugging techniques. You should also clearly understand that obfuscation of the code and anti-debugging methods are not security mechanisms, but methods of complicating the analysis. Without all this, the search for vulnerabilities in the code is simplified.

8) The problem of protecting the data channel
Mobile devices are wonderful because they are always with us and give us the opportunity to access information from anywhere. Having come to a cafe, restaurant, shopping center or cinema, we are looking for available free Wi-Fi hotspots and without hesitation join them ... or do we sit on a hook?
In the second part of the article, we will look at this situation and show how and when exactly an attacker can steal money from a mobile banking application.