Users of smartphones beware; the applications you download could compromise the security on your phone. And this includes banking applications.
IT security experts have been warning for months that weaknesses in the applications people download, coupled with basic human error could result in the installation of spyware or malware on smartphones.
This could allow hackers to gain access to your contact list, phone calls, GPS location, and bank information, without you realising it.
In Russia security firm Group-IB recently warned that more than 541 000 smartphones running on Android in Russia, Europe and the US are infected with malware which grants the perpetrators full access to people’s mobile devices, according to a report on RT.com.
Another report, this time from the US says that many mobile banking apps, including those of major financial institutions, contain configuration and design weaknesses that leave them with weakened security.
Experts from security firm Praetorian tested 275 Apple iOS- and Android-based mobile banking apps from 50 major financial institutions, 50 large regional banks, and 50 large U.S. credit unions. Overall, they found that eight out of ten apps were improperly configured and not built using best practice software development, according to this report on DarkReading.com.
Among the big-name banks whose mobile apps the security firm tested were Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, Capital One Financial, and Suntrust Banks. Praetorian did not disclose how each bank’s apps fared in the tests.
The security weaknesses identified in the mobile banking apps are not pure software vulnerabilities, says Nathan Sportsman, founder and CEO of Praetorian. “These aren’t business-logic or application-specific issues. They are weaknesses across the mobile apps – things developers should be doing but are not,” he says.
Stirring the pot a little further, just last week a research team from IBM uncovered a vulnerability that will affect apps built on a popular platform for application development called Cordova, according to a report on SecurityIntelligence.com.
Up to 10% of the applications built on this platform are banking apps, the researchers found. While a patch has been released the point is that millions of people using apps built on this platform are at risk of having sensitive information, such as their login details, stolen the report says.
A scary fact is that 95% of successful attacks or security incidents are caused by human error, according to IBM’s Cyber Security Intelligence Index. As a result hackers continue to aggressively seek out such vulnerabilities to exploit.
These warnings come at time when mobile banking is growing in South Africa. All of the major banks offer mobile banking solutions, and while mobile banking isn’t mainstream yet, it is increasingly popular.
“What smartphone users need to understand is that all operating systems are vulnerable,” says Vodacom’s head of mobile commerce, Herman Singh, who was speaking in his personal capacity. “It’s the nature of the space. Operating systems are by design complex pieces of code. The process is complicated further because apps are written to go into an app store and are then downloaded onto an operating system.”
At each step – application development, the app store, the operating system – there is the potential for vulnerabilities to be exploited.
At the application level, apps can be deliberately infected, or become vulnerable because the developers have overlooked something.
“You have to consider who is writing the app, and who is vetting it before you just download it onto your phone,” Singh says.
At the application store level, not all app stores were created equal.
“The Apple screening process is the most rigorous. All Apple apps are very carefully tested before they are allowed into the store for download. None of the other app stores are as thorough,” he says.
The best-known app stores (digital distribution centres for application software) include Apple, Blackberry and Google Play. But because the Android operating system (launched by Google) is so ubiquitous there are over 30 different app stores flogging their wares for Android devices.
This is because the Android operating system is open and allows for a high degree of customisation. “This introduces vulnerability,” says Singh.
“The Apple operating system on the other hand is tightly coupled to iTunes and the Apple apps. The company has kept proprietary control over its system.”
First National Bank’s heading of bank apps, Giuseppe Virgillito agrees that there are potential vulnerabilities around smartphones and the apps one downloads – just as there are with laptops and PCs.
“We haven’t seen any problems [with the banking apps in South Africa]. But it is possible; particularly when it comes to those apps developed using Android. It is open source software after all.”
While the banks are taking steps to ensure their own applications are robust, he suggests various steps that consumers can take to protect themselves:
Always be on guard against cyber-attack. Just like with laptops, logging onto an unsecured Wi-Fi connection isn’t very sensible, especially if you’re going to be working with sensitive information.
Be careful what content you download and what sites you access from your device.
Don’t download apps from third party sites – stick to Apple, Google Play or the device manufacturer – Samsung’s app store for instance.
Make sure you always have an up-to-date version of the operating system on your phone. The same goes for the banking app.
Don’t jailbreak your device. This allows access to the operating system’s file system and manager, allowing the download of applications that are not approved by Apple, Google or the handset manufacturer.