Security Test Report of personal online banking APP on iOS platform
This study was completed within 40 hours (not consecutive)
To protect the owners and users of these applications, this study does not publish discovered vulnerabilities and methods to exploit them.
All tests are performed only on the application (client); the study ruled out any server-side tests
You have contacted some affected banks and submitted vulnerability reports.
Test process
We have tested each online banking application as follows:
Transmission Security
Plaintext traffic
Improper session handling
Verify the SSL Certificate correctly
Compiler Protection
Anti-cracking Protection
PIE Compilation
Compile with stack cookies
Automatic Reference count
Uiwebviews
Data verification (input and output)
Analyze the implementation of UIWebView
Insecure Data Storage
SQLlite Database
File Cache
Check the attribute list file
Check the log file
Logging
Custom log
Nslog report
Crash report file
Binary Analysis
Break down applications
Check assembly code to protect Obfuscation
Anti-tampering Protection
Anti-debugging Protection
Protocol handler
Client Injection
Third-party library
Result Overview
Black box analysis results
The following tools are used for black box analysis:
otool (object file displaying tool)[1]Burp pro (proxy tool)[2]ssh (Secure Shell)
40% apps that pass APP Store review do not verify the SSL Certificate, which makes them vulnerable to man-in-the-middle attacks. [3]
A small number of applications (less than 20%) do not have location-independent executable programs (PIE) and stack overflow protection features. These features may help reduce the risk of Memory leakage attacks.
>#otool –hv MobileBankMach headermagic cputype cpusubtype caps filetype ncmds sizeofcmds flagsMH_MAGIC ARM V6 0×00 EXECUTE 24 3288 NOUNDEFS DYLDLINK PREBOUND TWOLEVEL
Many applications (90%) contain several SSL-free links throughout the application. This allows attackers to intercept traffic, inject arbitrary JavaScript/HTML code, and create forged logins.
In addition, it is found that 50% of programs are vulnerable to JavaScript injection attacks through UIwebview, which is implemented through insecure injection of UIWebView JavaScript. In some cases, the native iOS feature is exposed, allowing the victim's device to send text messages or emails.
A new type of phishing attack is prevalent: when a victim's online banking password has expired, follow the prompts to enter his username and password. Attackers can steal the creden。 of the victim and gain full access to the user account.
The following example shows the UIWebView vulnerability in a personal bank.
It allows an attacker to inject a fake HTML form to trick users into entering their usernames and passwords, and then send their creden。 to malicious websites.
Another test that attracted my attention is that 70% of apps have no alternative authentication solutions. For example, multi-factor authentication may help mitigate the risk of phishing attacks.
Most log files generated by applications expose sensitive information, such as crash reports. This information may be leaked, helping attackers use the 0-day vulnerability application to find and develop applications targeting target users.
Most applications expose sensitive information through Apple system logs.
The following example uses the iPhone Configuration Utility (IPCU) from the console ). User creden dumped by the application during authentication.
…CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.Jun 22 16:20:37 Test Bankapp[2390] <Warning>: <v:Envelope xmlns:i=”http://www.w3.org/2001/XMLSchema-instance” xmlns:d=”http://www.w3.org/2001/XMLSchema” xmlns:c=”http://schemas.xmlsoap.org/soap/encoding/” xmlns:v=”http://schemas.xmlsoap.org/soap/envelope/”><v:Header /><v:Body><n0:loginWithRole id=”o0″ c:root=”1″ xmlns:n0=”http://mobile.services.xxxxxxxxx.com/”><in0 i:type=”d:string”>USER-ID</in1><in1 i:type=”d:string”>XRS</in2><in2 i:type=”d:string”>PASSWORD</in3><in3 i:type=”d:string”>xxxxxxxx</in4></n0:loginWithRole></v:Body></v:Envelope>Jun 22 16:20:37 Test Bankapp[2390] <Warning>: ]]]]]]]]]]]]] wxxx.xxxxx.comJun 22 16:20:42 Test Bankapp[2390] <Warning>: RETURNED:Jun 22 16:20:42 Test Bankapp [2390] <Warning>: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.…Static Analysis ResultsThe following tools were used for the static analysis and decryption:IDA PRO (disassembler tool) [4]Clutch (cracking utility) [5]objc-helper-plugin-ida [6]ssh (Secure Shell)gdb (debugger tool)IPCU [7]The binary code of each app was decrypting using Clutch. A combination of decrypted code and code disassembled with IDA PRO was used to analyze the application.Hardcoded development credentials were found in the code.__text:00056350 ADD R0, PC ; selRef_sMobileBankingURLDBTestEnv____text:00056352 MOVT.W R2, #0×46__text:00056356 ADD R2, PC ; “https://mob_user:T3stepwd@db.internal/internal/db/start.do?login=mobileEvn”__text:00056358 LDR R1, [R0] ; “setMobileBankingURLDBTestEnv_iPad_mobil”…__text:0005635A MOV R0, R4__text:0005635C BLX _objc_msgSend__text:00056360 MOV R0, (selRef_setMobileBankingURLDBTestEnvWithValue_iPad_mobileT_ – 0×56370) ; selRef_setMobileBankingURLDBTestEnvWithValue_iPad_mobileT___text:00056368 MOVW R2, #0xFA8A__text:0005636C ADD R0, PC ; selRef_setMobileBankingURLDBTestEnvWithValue_i_mobileT___text:0005636E MOVT.W R2, #0×46__text:00056372 ADD R2, PC ; “https://mob_user:T3stepwd@db.internal/internal/db/start.do?login=mobileEvn&branch=%@&account=%@&subaccount=%@”__text:00056374 LDR R1, [R0] ; “setMobileBankingURLDBTestEnvWith_i”…__text:00056376 MOV R0, R4__text:00056378 BLX _objc_msgSendBy using hardcoded credentials, an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users.Internal functionality exposed via plaintext connections (HTTP) could allow an attacker with access to the network traffic to intercept or tamper with data.__text:0000C980 ADD R2, PC ; “http://%@/news/?version=%u”__text:0000C982 MOVT.W R3, #9__text:0000C986 LDR R1, [R1] ; “stringWithFormat:”__text:0000C988 ADD R3, PC ; “Mecreditbank.com”__text:0000C98A STMEA.W SP, {R0,R5}__text:0000C98E MOV R0, R4__text:0000C990 BLX _objc_msgSend__text:0000C994 MOV R2, R0…__text:0001AA70 LDR R4, [R2] ; _OBJC_CLASS_$_NSString__text:0001AA72 BLX _objc_msgSend__text:0001AA76 MOV R1, (selRef_stringWithFormat_ – 0x1AA8A) ; selRef_stringWithFormat___text:0001AA7E MOV R2, (cfstr_HttpAtmsOpList – 0x1AA8C) ; “http://%@/atms/?locale=%@&version=%u”__text:0001AA86 ADD R1, PC; selRef_stringWithFormat___text:0001AA88 ADD R2, PC; “http://%@/atms/version=%u”__text:0001AA8A__text:0001AA8A loc_1AA8A ; CODE XREF: -[BranchesViewController processingVersion:]+146j__text:0001AA8A MOVW R3, #0x218C__text:0001AA8E LDR R1, [R1]__text:0001AA90 MOVT.W R3, #8__text:0001AA94 STMEA.W SP, {R0,R5}__text:0001AA98 ADD R3, PC ; “Mecreditbank.com”__text:0001AA9A MOV R0, R4__text:0001AA9C BLX _objc_msgSend
In addition, 20% of programs send Account Activation codes via http plaintext. This function is highly risky even if it imposes limits on initial account settings. If attackers can intercept traffic, they can hijack a session and steal the victim's account information. The most important thing is that there is no evidence to detect this attack.
After carefully studying the system of each application, we found that some people use an unencrypted SQLite database to store sensitive information such as bank account details and transaction history. Attackers can exploit this vulnerability to remotely access the data. If attackers can access this device physically, then he will install some jailbreak software on the victim's machine that can steal information from the file system.
The following example shows how to obtain unencrypted bank account information stored in an SQLite database from the APP's file system.
Leakage of other image information, including:
Internal IP Address
__data:0008B590 _TakeMeToLocationURL DCD cfstr_Http10_1_4_133__data:0008B590 ; DATA XREF: -[NavigationView viewDidLoad]+80o__data:0008B590 ; __nl_symbol_ptr:_TakeMeToLocationURL_ptro__data:0008B590 ; “http://100.10.1.13:8080/WebTestProject/PingTest.jsp”
Internal system address:
__cstring:000CC724 aUsersXXXXPro DCB “/Users/Scott/projects/HM_iphone/src/HBMonthView.m”,0
Although the disclosure of such information will not have any major impact, if attackers collect many such vulnerabilities, they can better understand the internal layout of the application and the infrastructure of the server. In this way, attackers can perform specific attacks on the client and server of the application.
Conclusion
From the defensive point of view, the following suggestions can be used to reduce security risks:
1. Ensure that all connections use the secure transmission protocol
2. Use SSL certificates to check client applications
3. Use iOS Data Protection APIs to encrypt sensitive information stored on the client.
4. Check whether the device has been jailbroken
5. Use obfuscation assembly code and anti-Debugging techniques to increase the difficulty of reverse attacks
6. Delete All debugging statements and symbol files
7. Delete the development information in the application
Now, personal online banking applications can be installed on mobile devices (smartphones and tablets), which is a huge security challenge for global financial companies. The financial industry should improve the security of mobile personal online banking apps.