Most, if not all, security-sensitive apps use what’s known as a TLS connection to create a securely encrypted link between their servers and your phone. This ensures that when you’re, say, doing your banking on your phone, you actually are communicating with your bank and not some random, potentially dangerous server.
There’s just one small problem: According to a paper presented Wednesday at the Annual Computer Security Applications Conference in Orlando, researchers at the University of Birmingham have found nine popular banking apps have not been taking the proper precautions when setting up their TLS connection. These apps have a combined user base of 10 million people, all of whose banking login credentials could have been compromised if this flaw was exploited.
“This is serious, users trust that these banks can do their operations security,” Chris McMahon Stone, a computer security PhD student at the University of Birmingham, tells Inverse. “This flaw is now fixed, we disclosed it to all of the banks involved. But if an attacker knew about this vulnerability and say a user is running an outdated app, then it would be pretty trivial to exploit. The only requirement is that the attacker would need to be on the same network as their victim, so like a public WiFi network.
Here’s the list of affected apps, per the paper.
TLS connection is supposed to ensure that when you type in your bank login information, you are only sending it to your bank and no one else. This security precaution is a two-step process.
It starts with banks or other entities sending over a cryptographically signed certificate, verifying that they really are who they claim to be. These signatures are given out by the certificate authorities, which are trusted third parties in this process.
Once this certificate is sent over — and the app makes sure it’s legit — the hostname of the server must be verified. This is simply just checking the name of the server you are trying to connect to make sure you aren’t establishing a connection with anyone else.
It’s this second step where these banks dropped the ball.
“Some of these apps that we discover were checking that the certificate was correctly signed, but they weren’t checking the hostname properly,” says Stone. “So they would expect any valid certificate for any server.”
This means an attacker could spoof a certificate and mount a man-in-the-middle attack. Where the attacker hosts the connection between the bank and the user. This would give them access to all the information sent during that connection.
While this flaw has been rectified, if you use any of the apps listed above you must make sure your app is updated to get the fix. Stone also strongly urges people to do their mobile banking at home, one their own network to avoid any possibilities of a man-in-the-middle attack.
Stay safe on the web, friends.