Mobile banking app Security overall worry, love encryption provides secure encryption for mobile payment apps

Source: Internet
Author: User

With the popularity of mobile payment, mobile banking clients are more and more recognized by users, many people feel that since it is the client of the bank, it should be very safe. The report launches the most comprehensive security assessment for the Android mobile client of China's major banks, such as ICBC, CCB, CMB, Bank of Communications, Bank of China and ABC.
Original title: Hacker aimed at mobile banking


With the popularity of mobile payment, mobile banking clients are more and more recognized by users, many people feel that since it is the client of the bank, it should be very safe. However, that is not the case. It is understood that a few mobile banking clients have an incomplete encryption mechanism, not verifying the identity of the server and other security risks. Not only that, we have always believed that the safest "random keyboard input password" also has an insecure problem. Overall, the security of banking mobile apps is overall worrying.

The overall security of mobile banking is worrying
As an important tool of online payment, mobile Banking client's security is the base of Internet users ' account and fund security. If the mobile banking client has security vulnerabilities or even security loopholes, it is very likely to be exploited by computer hackers or trojan viruses, resulting in the leakage of bank account information and direct property losses of netizens.
The report is aimed at ICBC, CCB, China Merchants Bank, Bank of Communications, Chinese bank, ABC, etc. -One of the most comprehensive security reviews ever conducted by an Android mobile client in a mainstream bank. The main contents of the test include: Login mechanism security, keyboard input security,ActivityEight specific tests for component security, process injection protection, anti-piracy capabilities, and authentication factor security in six main areas.
Do not verify identity or be "attacked"
As the first step for users to use mobile banking clients, security is especially important when logging in for sensitive information such as bank account numbers and passwords. On the -Bank Client Login mechanism security assessment process, mobile security experts found two types of more serious security risks: one is the encryption mechanism is incomplete or too simple, it is easy to be hijacked or cracked by the attacker, the other is not in the communication process to verify the identity of the server, This makes the login process easily hijacked by "man-in-the-middle attacks." Among them, there are two mobile phone network banking clients using the "http+simple Encryption "data transmission method, very easy to be hijacked or cracked.
Regardless of the login encryption mechanism used by the bank client, if the client does not verify the identity (certificate) of the server during the logon process, it is possible to "trust" the fake service side of the fake identity and connect it to the counterfeit bank service, resulting in the theft of information such as user name, password and so on. This attack of fake service-side identities is also known as a "man-in-the-middle attack." In the evaluation of -Bank Client, a total of3Bank client (both useHTTPSencryption mechanism) exists to ignore the server-side certificate Check security vulnerability.
Self-drawn random keyboards are not completely secure
In the keyboard input security test, security experts found that although most mobile banking clients used a self-drawn keyboard, self-drawn random keyboards were not widely used. And there's2client uses the system default input method, there is a significant security risk. However, mobile phone security experts also pointed out that the use of self-drawn random keyboard, although it can greatly improve security and hacker attacks difficult, but it is not foolproof. If a mobile banking client is injected into a malicious module, or if the system module is infected by malicious code, the attacker canHookDirect access to the password plaintext.
The most used Android components for mobile banking clients areActivity, the Mobile Security Center has made a special security test to preventActivityhijacking, preventing process injection, anti-piracy/anti-two-pack, and to prevent verification of SMS hijacking and other aspects, all -Mobile Banking clients that have been tested are underperforming. Among them, there are1client has a seriousActivityexport risks and other2Client PresenceActivityexporting errors can be a problem with system crashes.
Bank classAPPvery easy to be cottage
Android as an open platform, attackers can easily use the Reverse analysis tool, the Bank client program to Decompile, and to the anti-compilation results in the addition of malicious code, published to some of the less stringent third-party market. The pirated bank client software, which was released two times, poses an extremely serious security threat to the user's payment security.
Analysis shows that the evaluation of the -Mobile Banking clients are not completely effective to prevent reverse analysis and two packaging, although some clients to verify their own signature, but also easily in the re-packaging process by attackers easily tamper, can not prevent two times the role of packaging.
The test also found that there are some security risks in the authentication factors of mobile banking, -Mobile Banking client software uses "account password+SMS Verification Code "pseudo-two-factor authentication system. This authentication system in the face of SMS hijacking function of mobile phone Trojan attack, all appear very fragile. Although some banks have started to promote the audio shield, Bluetooth shield and other two-factor authentication system, but the use of these systems is not mandatory, the vast majority of users are still using the "account password+The authentication method of the SMS verification code.

Using security software to "protect peace"
Following bank card payment, online payment (PCend), Chinese consumers have quickly entered the mobile payment era. AccordingCNNICThe publication of the first -Statistical Report on the development of Internet in China, data show: up to -years Athe size of mobile internet users in China reached5billion, more -year-end increase8009Mobile payment user scale to reach1.25billion, increased by the year126.9%, accounting for the total number of mobile phone users25.1%. Can be seen, mobile phone payment users are growing much faster than the size of mobile phone subscribers. The era of mobile payments has come, but security risks and threats are also magnified.
In view of the various security threats faced by mobile payment, many Internet security enterprises have also launched a security service cooperation with banks, providing independent mobile payment security module customization service for mobile banking clients, which is integrated into mobile banking client, which can improve the security of mobile banking clients.
Mobile phone security experts pointed out that the current mobile banking client has a number of security problems could not be resolved, to users, as far as possible with the mobile phone security software to use, in order to protect the security of property.
Love encryption technology personnel point out that no matter what kind of login encryption mechanism is used, if the client does not verify the identity (certificate) of the server during the logon process, it is possible to "trust" the spoofed service side of the fake identity and connect to the counterfeit bank service, which can result in the theft of information such as user name, password, etc.
Love encryption Custom Service crack mobile payment security problem
Love encryptionspecifically for mobile payment classesAppapplication, has made a special custom service, before the development of each package will be a comprehensive security assessment of the application, to ensure that the formulation of the program can be all-round, professional to ensureAppthe security. And every start of a customized solution, there is a professional technology and a business staff tracking the whole process, answer technical problems and business issues, to always provide first-class technical support and professional butler service support.
At the same time, the team's original design "DEXAdd Shell+soLibrary Protection+Advanced obfuscation "three layer protection technology to maximize the protection of mobile payment classesAppthe security. And on the phone adapter is currently the best, test phone over +guarantees the perfect compatibility. And it also supportsx86, Android4.4Versions andArtmode, the app runs without any impact and does not affect the user experience after using encryption.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.