Security Test Report of personal online banking APP on iOS platform

Security Test Report of personal online banking APP on iOS platform

This study was completed within 40 hours (not consecutive)

To protect the owners and users of these applications, this study does not publish discovered vulnerabilities and methods to exploit them.

All tests are performed only on the application (client); the study ruled out any server-side tests

You have contacted some affected banks and submitted vulnerability reports.

Test process

We have tested each online banking application as follows:

Transmission Security
Plaintext traffic
Improper session handling
Verify the SSL Certificate correctly
Compiler Protection
Anti-cracking Protection
PIE Compilation
Compile with stack cookies
Automatic Reference count
Uiwebviews
Data verification (input and output)
Analyze the implementation of UIWebView
Insecure Data Storage
SQLlite Database
File Cache
Check the attribute list file
Check the log file
Logging
Custom log
Nslog report
Crash report file
Binary Analysis
Break down applications
Check assembly code to protect Obfuscation
Anti-tampering Protection
Anti-debugging Protection
Protocol handler
Client Injection
Third-party library

Result Overview

 

Black box analysis results

The following tools are used for black box analysis:

otool (object file displaying tool)[1]Burp pro (proxy tool)[2]ssh (Secure Shell)

40% apps that pass APP Store review do not verify the SSL Certificate, which makes them vulnerable to man-in-the-middle attacks. [3]

A small number of applications (less than 20%) do not have location-independent executable programs (PIE) and stack overflow protection features. These features may help reduce the risk of Memory leakage attacks.

>#otool –hv MobileBankMach headermagic cputype cpusubtype     caps    filetype ncmds        sizeofcmds      flagsMH_MAGIC     ARM         V6  0×00     EXECUTE    24       3288        NOUNDEFS DYLDLINK PREBOUND TWOLEVEL

Many applications (90%) contain several SSL-free links throughout the application. This allows attackers to intercept traffic, inject arbitrary JavaScript/HTML code, and create forged logins.

In addition, it is found that 50% of programs are vulnerable to JavaScript injection attacks through UIwebview, which is implemented through insecure injection of UIWebView JavaScript. In some cases, the native iOS feature is exposed, allowing the victim's device to send text messages or emails.

 

 

A new type of phishing attack is prevalent: when a victim's online banking password has expired, follow the prompts to enter his username and password. Attackers can steal the creden。 of the victim and gain full access to the user account.

The following example shows the UIWebView vulnerability in a personal bank.

It allows an attacker to inject a fake HTML form to trick users into entering their usernames and passwords, and then send their creden。 to malicious websites.

 

 

Another test that attracted my attention is that 70% of apps have no alternative authentication solutions. For example, multi-factor authentication may help mitigate the risk of phishing attacks.

Most log files generated by applications expose sensitive information, such as crash reports. This information may be leaked, helping attackers use the 0-day vulnerability application to find and develop applications targeting target users.

 

Most applications expose sensitive information through Apple system logs.

The following example uses the iPhone Configuration Utility (IPCU) from the console ). User creden dumped by the application during authentication.

…CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.Jun 22 16:20:37 Test Bankapp[2390] <Warning>: <v:Envelope xmlns:i=”http://www.w3.org/2001/XMLSchema-instance” xmlns:d=”http://www.w3.org/2001/XMLSchema” xmlns:c=”http://schemas.xmlsoap.org/soap/encoding/” xmlns:v=”http://schemas.xmlsoap.org/soap/envelope/”><v:Header /><v:Body><n0:loginWithRole id=”o0″ c:root=”1″ xmlns:n0=”http://mobile.services.xxxxxxxxx.com/”><in0 i:type=”d:string”>USER-ID</in1><in1 i:type=”d:string”>XRS</in2><in2 i:type=”d:string”>PASSWORD</in3><in3 i:type=”d:string”>xxxxxxxx</in4></n0:loginWithRole></v:Body></v:Envelope>Jun 22 16:20:37 Test Bankapp[2390] <Warning>: ]]]]]]]]]]]]] wxxx.xxxxx.comJun 22 16:20:42 Test Bankapp[2390] <Warning>: RETURNED:Jun 22 16:20:42 Test Bankapp [2390] <Warning>: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.…Static Analysis ResultsThe following tools were used for the static analysis and decryption:IDA PRO (disassembler tool) [4]Clutch (cracking utility) [5]objc-helper-plugin-ida [6]ssh (Secure Shell)gdb (debugger tool)IPCU [7]The binary code of each app was decrypting using Clutch. A combination of decrypted code and code disassembled with IDA PRO was used to analyze the application.Hardcoded development credentials were found in the code.__text:00056350  ADD             R0, PC ; selRef_sMobileBankingURLDBTestEnv____text:00056352 MOVT.W          R2, #0×46__text:00056356 ADD             R2, PC  ; “https://mob_user:T3stepwd@db.internal/internal/db/start.do?login=mobileEvn”__text:00056358 LDR             R1, [R0] ; “setMobileBankingURLDBTestEnv_iPad_mobil”…__text:0005635A MOV             R0, R4__text:0005635C BLX             _objc_msgSend__text:00056360 MOV             R0, (selRef_setMobileBankingURLDBTestEnvWithValue_iPad_mobileT_ – 0×56370) ; selRef_setMobileBankingURLDBTestEnvWithValue_iPad_mobileT___text:00056368 MOVW            R2, #0xFA8A__text:0005636C ADD             R0, PC ; selRef_setMobileBankingURLDBTestEnvWithValue_i_mobileT___text:0005636E MOVT.W          R2, #0×46__text:00056372 ADD             R2, PC  ; “https://mob_user:T3stepwd@db.internal/internal/db/start.do?login=mobileEvn&branch=%@&account=%@&subaccount=%@”__text:00056374 LDR             R1, [R0] ; “setMobileBankingURLDBTestEnvWith_i”…__text:00056376 MOV             R0, R4__text:00056378 BLX             _objc_msgSendBy using hardcoded credentials, an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users.Internal functionality exposed via plaintext connections (HTTP) could allow an attacker with access to the network traffic to intercept or tamper with data.__text:0000C980 ADD             R2, PC  ; “http://%@/news/?version=%u”__text:0000C982 MOVT.W          R3, #9__text:0000C986 LDR             R1, [R1] ; “stringWithFormat:”__text:0000C988 ADD             R3, PC  ; “Mecreditbank.com”__text:0000C98A STMEA.W         SP, {R0,R5}__text:0000C98E MOV             R0, R4__text:0000C990 BLX             _objc_msgSend__text:0000C994 MOV             R2, R0…__text:0001AA70 LDR             R4, [R2] ; _OBJC_CLASS_$_NSString__text:0001AA72 BLX             _objc_msgSend__text:0001AA76 MOV             R1, (selRef_stringWithFormat_ – 0x1AA8A) ; selRef_stringWithFormat___text:0001AA7E MOV             R2, (cfstr_HttpAtmsOpList – 0x1AA8C) ; “http://%@/atms/?locale=%@&version=%u”__text:0001AA86 ADD             R1, PC; selRef_stringWithFormat___text:0001AA88 ADD             R2, PC; “http://%@/atms/version=%u”__text:0001AA8A__text:0001AA8A loc_1AA8A                               ; CODE XREF: -[BranchesViewController processingVersion:]+146j__text:0001AA8A MOVW            R3, #0x218C__text:0001AA8E LDR             R1, [R1]__text:0001AA90 MOVT.W          R3, #8__text:0001AA94 STMEA.W         SP, {R0,R5}__text:0001AA98 ADD             R3, PC  ; “Mecreditbank.com”__text:0001AA9A MOV             R0, R4__text:0001AA9C BLX             _objc_msgSend

In addition, 20% of programs send Account Activation codes via http plaintext. This function is highly risky even if it imposes limits on initial account settings. If attackers can intercept traffic, they can hijack a session and steal the victim's account information. The most important thing is that there is no evidence to detect this attack.

After carefully studying the system of each application, we found that some people use an unencrypted SQLite database to store sensitive information such as bank account details and transaction history. Attackers can exploit this vulnerability to remotely access the data. If attackers can access this device physically, then he will install some jailbreak software on the victim's machine that can steal information from the file system.

The following example shows how to obtain unencrypted bank account information stored in an SQLite database from the APP's file system.

 

Leakage of other image information, including:

Internal IP Address

__data:0008B590 _TakeMeToLocationURL DCD cfstr_Http10_1_4_133__data:0008B590                                         ; DATA XREF: -[NavigationView viewDidLoad]+80o__data:0008B590                                         ; __nl_symbol_ptr:_TakeMeToLocationURL_ptro__data:0008B590                                      ; “http://100.10.1.13:8080/WebTestProject/PingTest.jsp”

Internal system address:

__cstring:000CC724 aUsersXXXXPro DCB “/Users/Scott/projects/HM_iphone/src/HBMonthView.m”,0

Although the disclosure of such information will not have any major impact, if attackers collect many such vulnerabilities, they can better understand the internal layout of the application and the infrastructure of the server. In this way, attackers can perform specific attacks on the client and server of the application.

Conclusion

From the defensive point of view, the following suggestions can be used to reduce security risks:

1. Ensure that all connections use the secure transmission protocol
2. Use SSL certificates to check client applications
3. Use iOS Data Protection APIs to encrypt sensitive information stored on the client.
4. Check whether the device has been jailbroken
5. Use obfuscation assembly code and anti-Debugging techniques to increase the difficulty of reverse attacks
6. Delete All debugging statements and symbol files
7. Delete the development information in the application

Now, personal online banking applications can be installed on mobile devices (smartphones and tablets), which is a huge security challenge for global financial companies. The financial industry should improve the security of mobile personal online banking apps.