{"id":1396,"date":"2014-12-30T09:46:32","date_gmt":"2014-12-30T07:46:32","guid":{"rendered":"http:\/\/sseblog.ec-spride.de\/?p=1396"},"modified":"2014-12-30T09:46:32","modified_gmt":"2014-12-30T07:46:32","slug":"banking-apps","status":"publish","type":"post","link":"https:\/\/blogs.uni-paderborn.de\/sse\/2014\/12\/30\/banking-apps\/","title":{"rendered":"Yes, banking apps are as secure as other apps, but is it really the banks who are to blame?"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_1396 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_1396')){$('.twoclick_social_bookmarks_post_1396').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blogs.uni-paderborn.de\\\/sse\\\/2014\\\/12\\\/30\\\/banking-apps\\\/\",\"post_id\":1396,\"post_title_referrer_track\":\"Yes%2C+banking+apps+are+as+secure+as+other+apps%2C+but+is+it+really+the+banks+who+are+to+blame%3F\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p><a href=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2014\/12\/app-check.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-1398\" src=\"http:\/\/blogs.uni-paderborn.de\/sse\/files\/2014\/12\/app-check-300x145.jpg\" alt=\"Malicious apps\" width=\"300\" height=\"145\" srcset=\"https:\/\/blogs.uni-paderborn.de\/sse\/files\/2014\/12\/app-check-300x145.jpg 300w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2014\/12\/app-check-768x372.jpg 768w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2014\/12\/app-check-1024x496.jpg 1024w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2014\/12\/app-check-500x242.jpg 500w, https:\/\/blogs.uni-paderborn.de\/sse\/files\/2014\/12\/app-check.jpg 1038w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a>At 31C3 this year,\u00a0<a href=\"https:\/\/sites.google.com\/site\/ericfiliol\/\"><em>Eric Filiol<\/em><\/a> and <em>Paul Irolla <\/em>from\u00a0<em>Laboratoire de Cryptologie et Virologie Op\u00e9rationnelles<\/em> presented on\u00a0<a href=\"http:\/\/media.ccc.de\/browse\/congress\/2014\/31c3_-_6530_-_en_-_saal_6_-_201412272145_-_in_security_of_mobile_banking_-_ericfiliol_-_paul_irolla.html\">(In)security of mobile banking app security<\/a>. While I appreciate the effort to draw more attention to the insecurity of mobile applications in general, I am afraid that the talk itself was based on quite a few misconceptions, and thus gave a very wrong impression of how app development actually works and about why the code we see is as insecure as it is. Unfortunately, these misconceptions were readily amplified through the mass media (the <a href=\"http:\/\/www.zeit.de\/digital\/mobil\/2014-12\/banking-apps-datenschutz-hack-31c3\">Zeit<\/a>, for instance), which is why I think someone with more experience in the field\u00a0should probably clarify a few things in this respect.<!--more--><\/p>\n<h2>Vulnerabilities shown were not related to banking<\/h2>\n<p>First of all, Filiol and Irolla showed no single banking-related vulnerability.\u00a0What they showed were a series of\u00a0<em>potential<\/em> vulnerabilities, none of which they showed\u00a0to be exploitable. Both authors\u00a0also mentioned that it was hard to get access to banking staff that could\u00a0fix the problems that they found. Well, this is not surprising, and both in combination is dangerous.<\/p>\n<h2>It&#8217;s not the banks who develop banking apps<\/h2>\n<p>First of all, why is it not surprising? Well, guess what, it&#8217;s not the banks who actually develop banking apps. Banks are known to be in the business of investing\u00a0and making money, not in the business of software development. In result, 99% of them will outsource the development of such apps completely. While it makes sense to approach the banks directly if a security flaw is found, it&#8217;s not surprising that no one there will be able to solve the problem at hand. This problem then gets amplified if researchers such as\u00a0<em>Filiol<\/em> and <em>Irolla <\/em>go public with\u00a0<em>alleged<\/em><em> (!)\u00a0<\/em>insecurities for which they have not really shown that they are exploitable. When talking to banks (or any company for that matter) about the insecurity of their software it really helps to have convincing arguments. And also then, responsible disclosure should be preferable to a rushed talk at 31C3.<\/p>\n<h2>It&#8217;s primarily not the banks who make the mistakes<\/h2>\n<p>The second major problem with the talk was that all the alleged vulnerabilities presented were basically not in the apps&#8217; code\u00a0itself but was in third-party code, and were not even vulnerabilities. The authors complained about &#8220;extra functionality&#8221; that was present in the apps and which seemed dangerous and not privacy preserving. They showed instances of the <a href=\"https:\/\/code.google.com\/p\/roottools\/wiki\/Usage\">RootTools library<\/a> being used, and instances of the usage of geo-location services <a href=\"http:\/\/api.yandex.com\/maps\/doc\/jsapi\/2.x\/ref\/reference\/geolocation.xml\">by Yandex<\/a>\u00a0(in an app by Sberbank). For using RootTools, however, the authors themselves presented some good reasons, and Sberban is a Russian bank, and Yandex is a russian geo-location service. So there should be little surprise that Yandex code is present in such an app.\u00a0There is also good reason for most banking apps to use geo location information: many of those apps have a functionality to show you the branch closest to your current location.<\/p>\n<p>So the problem is not really that banks would somehow be evil and include malicious code in their apps, it&#8217;s instead simply that the companies who develop apps for banks use somewhat\u00a0sub-optimal ways of achieving the functionalities of those apps. I agree that this is bad, but nevertheless this paints a picture much different from and much more muted than what was presented in the talk.<\/p>\n<h2>Ok, but what can we do about it?<\/h2>\n<p>To conclude, the primary problem with the apps that\u00a0<em>Filiol<\/em> and <em>Irolla<\/em> actually presented is not that banks are somehow incapable\u00a0of developing secure apps or\u00a0even have evil hidden plans.\u00a0The main problem is one of outsourcing and bad tools for quality control. And this is a problem seen throughout the software development industry. It&#8217;s not specific to banking and not specific to mobile apps. To counter this problem, the following is required:<\/p>\n<ul>\n<li>Companies outsourcing development need to be given better tools to assess the security of the code they buy.<\/li>\n<li>Third-party security experts should be contracted to assure the security of such applications. Tools like <a title=\"CodeInspect says \u201cHello World\u201d: A new Reverse-Engineering Tool for Android and Java Bytecode\" href=\"http:\/\/sseblog.ec-spride.de\/2014\/12\/codeinspect\/\">CodeInspect<\/a>\u00a0can aid such experts.<\/li>\n<li>Likewise, app developers should be better aware of what third-party code they actually include in applications, and what the security implications will be.<\/li>\n<li>Also, it should be possible to hold app developers liable for code they develop for third parties, in particular when it comes to security issues.<\/li>\n<\/ul>\n<p>So in result,\u00a0as much as I myself would like to blame this all on the banks, I don&#8217;t\u00a0think this is a fair assessment. It seems like if anyone is to blame then it is\u00a0the software development industry (for following bad practices), politics (for\u00a0not promoting better standards) and researchers, for\u00a0bragging about alleged vulnerabilities rather than spending their time\u00a0showing constructive ways to counter them. Plus, there is the press: While writing about vulnerabilities is considered sexy, writing about good security practices seems much less so. So also they are setting the wrong incentives!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At 31C3 this year,\u00a0Eric Filiol and Paul Irolla from\u00a0Laboratoire de Cryptologie et Virologie Op\u00e9rationnelles presented on\u00a0(In)security of mobile banking app security. While I appreciate the effort to draw more attention to the insecurity of mobile applications in general, I am &hellip; <a href=\"https:\/\/blogs.uni-paderborn.de\/sse\/2014\/12\/30\/banking-apps\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6542,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1396","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/1396","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/users\/6542"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/comments?post=1396"}],"version-history":[{"count":0,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/posts\/1396\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/media?parent=1396"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/categories?post=1396"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.uni-paderborn.de\/sse\/wp-json\/wp\/v2\/tags?post=1396"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}