Security researchers at the University of Birmingham found that several banking and Virtual Private Network (VPN) apps were susceptible to man-in-the-middle (MitM) attacks through a vulnerability in the way they handle encrypted communications.
These apps have a user base in the millions. Fortunately, the vendors have rolled out patches addressing the flaw—since 2016 for some. Users are advised to update their apps.
The security flaw was seen in Android and iOS banking apps, including those from Bank of America, Meezan Bank, Smile Bank, and HSBC, and VPN app TunnelBear. The security flaw lies in the verification processes of certificates used by the applications. Successfully exploiting the flaw allows attackers to spy on and modify their traffic, as well as steal credentials.
The findings were part of their research, “Spinner: Semi-Automatic Detection of Pinning without Hostname Verification”, which demonstrated Spinner, an automated black-box testing mechanism that checks and detects improper certification and verification processes in applications. Researchers Chris McMahon Stone, Tom Chothia, and Flavio D. Garcia noted that while this is typically easy to identify, it becomes difficult when the application uses certificate pinning, which conceals the flaw.
Certificate pinning is a security mechanism where an application’s developer specifies certain trusted certificates (used to verify the identity of computer/s on a network), as a countermeasure against MitM attacks that spoof certificates. However, their report found that the affected apps had flaws in how certificate pinning is implemented and how they verify certificates when establishing a connection.
Spinner was used to analyze 400 Android and iOS apps and found that nine were susceptible to MitM attacks. The researchers also noted, “By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning.
“Like web browsers, mobile platforms such as Android and iOS rely on a trust store containing a large number of CA root certificates. If a single CA acted maliciously or were compromised, which has happened before [...], valid certificates for any domain could be generated allowing an attacker to Man-in-the-Middle all apps trusting that CA certificate.”
Cybercriminals see the mobile user base as a goldmine, as evidenced by the increasing prevalence of mobile threats. Users can mitigate them with good security habits, such as updating the operating system and apps, as well as strengthening their credentials. For businesses—especially those that run Bring Your Own Device (BYOD) programs—should balance the need for flexibility and importance of security. App developers, as well as original equipment and design manufacturers, are in a good position to underscore security by design and go beyond functionality.
Users can also benefit from mobile security solutions such as Trend Micro Mobile Security for Android and Apple (also available on Google Play and App Store), which blocks malware, phishing attacks, exploits, and malicious URLs. Their multilayered security capabilities include securing the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.
Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.