Personal Banking Apps Leak Info Through Phone

By February 20, 2020 March 20th, 2020 Interesting

Last Updated on

Based on the latest report, more than 3,000 Android and iOS mobile apps are capable of leaking personal information such as user information and business information extracted from more than 23,000 unsecured Firebase databases. Also, based on the report, more than 27,000 Android apps and more than 1,000 iOS apps are using Firebase’s database systems in saving their app data. 2,446 Android apps and 600 iOS apps are storing their data in unsecured databases that can be obtained by anybody.

An in-depth study further revealed that this exposed information is made up of more than 2.6 million usernames and passwords, more than 50,000 financial transaction records,  more than 25 million GPS locations, and over 4.5 million user tokens for social media networks. Aside from this, it also includes more than 4.5 million Public Health Information records. All of these data can be accessed by anyone. It was reported that all in all, there is a total of over 100 million individual records have been leaked.

Actually, this is not the first time that there are instances that mobile apps can expose personal user data. The fact is, there are hundreds of thousands of apps that are unprotected. Ultimately, they are capable of leaking millions of personal data records each day. Furthermore, millions of apps can leak anyone’s private information such as name, age, phone number, home address, income, and email address. All of this is possible due to third-party libraries.

Is It Safe To Use Home Banking Apps?

Nowadays, there are a lot of home banking apps that are designed for mobile devices. However, is it secure to use? The security of these apps is a great challenge for the entire financial industry. IOActive, a Washington-based security firm, made a research on this and found out that forty mobile banking apps from the top 60 banks around the world have significant security issues. Because of this, Ariel Sanchez, a researcher of IOActive, spent almost forty hours testing these banking apps on the client-side. iPhone/iPad devices are used in testing the apps. All of these apps can be installed on a jail-broken iOS-based device. They have the capacity to run applications even if they are not available in the official Apple Store.

For the last few years, we have noticed that some home banking applications have shortcomings. If you feel cynical about this, then this article can help you in understanding a lot of things. When this research started, it was not expected that there will be any meaningful outcomes. The aim here is to conduct a black box review and static analysis on these mobile home banking applications that are being used all over the world. All in all, there were forty home banking applications that were tested using iPhone/iPad devices. These apps were the ones being used by the top sixty most notable banks around the globe. A few of the most prestigious banks from different parts of the world were part of the study. This is done in order to achieve a worldwide view of the status of security.

Important Features Of The Research

This study was completed in approximately forty hours, but keep in mind that these hours are not continuous. In this research, we did not reveal any information about the vulnerabilities that we discovered as well as the methods of exploiting them. This is because we want to guard the programmer who created the application and also their clients.

The apps were only tested on the client-side but not on the server-side. Even if we did not expose the vulnerabilities here, we managed to inform the concerned banks about their weaknesses.

What Are These Tests?

Sanchez performed his tests in six different fields including transport assurance, compiler protection, UIWebViews, unsafe data storage, log files, as well as binary review.

Installing all of these apps on a device that uses jailbroken iOS can greatly help in making the static analysis and black box review much faster.

What Are The Outcomes of Black Box Review?

For the black box review, significant tools that were used including ssh, Burp pro, and otool.

After auditing the apps, they found out that 40% of them did not verify if the SSL certificates were authentic. As a result, there is a possibility that they can be infected with Man in The Middle (MiTM).

There are some apps, approximately less than twenty percent, that did not enable the functions for Stack Smashing Protection and Position Independent Executable (PIE). If these functions were enabled, then it could help in reducing the danger of corrupting the memory.

Most of the applications, about 90%, include numerous non-SSL links all over the app. This provides an opportunity for the intruder to deflect traffic and insert random JavaScript code and HTML code that produces a fraudulent login screen or any other type of scam.

Furthermore, they discovered that half of these apps do not have any protection against JavaScript insertions through unstable UIWebView implementations. Also, there are some instances that the primary iOS purpose was revealed. As a result, the attacker is capable of doing relevant actions, for instance sending messages or emails using the victim’s smartphone.

The latest phishing scam that has become popular now is to prompt the victim to reenter his username as well as his password simply because their password for online banking has expired. This gives an opportunity for the attacker to steal the victim’s personal information and obtain complete access to his account.

One good example would be the apps used for home banking. It has a weak UIWebView implementation since it permits a fake HTML structure to be inserted into the apps. This is used by the attacker to deceive the victim to retype his username as well as his password. This personal information will then be sent out to an unreliable site.

One of the major issues of this research is that about seventy percent of the applications do not have any other authentication resolutions, for instance, multi-factor verification. It would have been great if there are any since this can help in lessening the danger of impersonation assaults.

Most often the log files that are produced by the applications, for instance, crash reports, revealed sensitive data. There is a possibility that this data could spread and will be used by the attackers in finding and developing 0day exploits with the objective of victimizing the persons using these apps.

A number of apps exposed sensitive data within the Apple system log. Using an iPhone Configuration Utility (IPCU) tool, we have obtained this example from the Console system of the device. This application asks for user information on its verification process.

What Are The Results of Static Analysis?

During the static review and decryption, we used various tools including ssh, Clutch, gdb, IDA PRO, etc.

With the use of Clutch, the binary code of every app was decrypted. In analyzing the apps, we’ve combined an IDA PRO disassembled code and a decrypted code. When the code was examined they’ve discovered hardcoded development information.

The attacker could use this hardcoded personal information in obtaining entry to the development foundation of the bank and infect the application with malware. As a result, this can cause extensive damage to all the apps that are being used.

Internal functionality that is shown within these plaintext connections (HTTP) can provide a chance for the attacker to intercept or tamper the information since the network traffic can be easily accessed.

Furthermore, at least twenty percent of the apps will use plainttext communication (HTTP) when sending activation codes for users’ accounts. Although this purpose is only restricted to the initial setup of the account, it is still considered risky to the users. In the event that the attacker has successfully intercepted the network traffic then he could infect a session and take the users’ information without any indication that there was indeed an attack.

After examining closely the file system on every application, we found out that a few of them are using unencrypted Sqlite database. Additionally, their file systems are storing some sensitive data, for instance, the banking details of the client’s account as well as its transaction history. An exploit could be used by the attacker in accessing the data remotely. On the other hand, if they can access the device physically then they could use the jailbreak software in stealing the information from the file system of the client’s device.

A Sqlite database structure obtained from the file system of an app shows that the bank account details of the client were stored without applying any encryption. Additionally, they discovered that there was minor information that was leaked. This includes the internal IP addresses and Internal file system paths.

Although exposing this information will not cause severe damage yet if the attacker has already gathered numerous leaks, then he could gain more knowledge on the internal layout of the application as well as the server-side foundation. As a result, it is possible that the attacker could start certain attacks that target both the client-side and the server-side of the application.


Based on the defensive point of view, here are some recommendations that could reduce the most common defects.  We need to guarantee that all connections are done using secure transfer protocols. It is also important to implement SSL certificate examinations on client applications. Sensitive information that is stored on the file system of the client-side must be protected at all times. This can be done through encryption and utilizing the iOS data protection API.

Detecting jailbroken devices can be improved through additional checks. In order to slow down the development of the attackers once they attempt to reverse the binary, you need to muddle the assembly code or you could apply some anti-debugging tricks. All the debugging statements and symbols, as well as the development information from these applications, must be deleted so it cannot be accessed by the potential attackers.

Nowadays, home banking apps can be easily accessed on mobile devices including smartphones and tablets. That is why keeping sensitive information protected is a great challenge for all financial institutions worldwide. Based on this research, it is recommended that the financial industry must try harder to improve the security standards most especially when it comes to mobile home banking solutions.

How Can You Avoid Any Data Leaks on Mobile Devices?

A VPN Can Protect Your Phone Data

A VPN or a Virtual Private Network is a secure connection. This means that you can feel safe whenever you are sharing some sensitive information such as credit card details. What the VPN will do is it will create a virtual network which the phone will use in connecting to the website. While you are connected to a VPN, the websites won’t be able to find your actual IP address. At the same time, they can’t decrypt your data. This is great since potential attackers will not be able to access your secure connection. However, you need to remember that a VPN won’t be able to protect you if you willingly enter your information in a website’s form.

Always Use Secure Passwords

In order to protect the data on your phone, be sure to set up a screen lock just in case your phone is lost or stolen. Additionally, it is important that you must create a secure and unique password for every app on your phone. This is very helpful to reduce the risk just in case one of your apps is compromised. There is a greater risk if you only use one password or just a few. Keep in mind that you should protect your financial data and other sensitive information from your phone. Sometimes this information can be leaked through the servers used by the apps.

Avoid Downloading Unverified Apps

Sometimes it is hard to pinpoint which app is doing the suspicious activity, most especially if you have downloaded numerous apps on your phone. Additionally, it would be much better if you are proactive. This can help you in avoiding any potential threats. The best thing to do is to download verified apps only and look for reliable app stores. Reading the app’s reviews before downloading can also help. Also, be cautious if they will ask you for certain permissions. For instance, your location or contacts are not needed in a reading app.


About Lydia

A keen money saver and online digital marketer. I love all things online from a good deal to the conversion rates of an email marketing campaign :).