最有看点的互联网金融门户

最有看点的互联网金融门户
传统金融的互联网化国际资讯

研究显示:35%的银行app在发送信息时并未加密

尽管在过去两年间,银行一直在不断提高其app的安全性,但是调查显示,大部分的手机银行app都会泄漏客户信息。

安全公司IOActive的研究人员称,目前手机银行app还是未能充分保护用户信息,大部分的发送信息依旧包含无SLL链接,也就是未进行加密处理。

安全研究员Ariel Sanchez在其2013年的研究报告中指出,90%的手机app包含无SSL链接,也就是说,黑客只需要通过拦截手段,注入病毒,例如虚假的登入提示等,就可以窃取用户的认证信息。

两年后的今天,研究人员再次进行检测,研究表明手机银行app有所进步,仅剩35%的app在发送信息时未进行加密。

当然,还有30%的app未进行验证,也就是说,12.5%的手机银行app在受到一般攻击时会给用户造成损失。

Sanchez称:“尽管在过去两年间,手机银行app的整体安全性已有所提高,但是,这还远远不够,仍然有非常多的app容易遭受攻击。”

2013年,Sanchez发现50%的手机银行app会非常容易受到Java脚本改写的风险。到了2015年,仍然有30%的app易受Java脚本改写的风险,因为暴露的本地IOS系统允许黑客远程发送短信或邮件到用户手机上,从而实施黑客攻击。

Sanchez的2013年研究报告中同样还指出,70%的手机银行app并未开发出任何一种替代或者是多向身份认证的功能。

Sanchez最近的研究表明,在过去两年间,这方面的改进并不乐观,因为仍有42.5%的app仍然没有采用任何额外的身份认证措施来防止黑客攻击。

尽管在2013年,大部分的app面临着上述威胁,还有40%的app会泄露用户行为和同服务器的往来记录,可以是通过系统或者用户登录,例如错误报告等,黑客因此有机可乘。

Sanchez在2013年发现的另一个安全问题则是有5%的账户激活码是完全通过短信激活(即HTTP链接)的,这样黑客就可凭借这个信息进行拦截,截取信息并盗取账户信息。

尽管这些问题已经得到了解决,但是目前仍然有15%的app会存储未加密的用户信息,例如客户银行账户的详细信息和交易历史,而这些信息只通过文本形式存储在手机的文件系统里。

此外,17.5%的app已经开始用二进制来对客户信息进行硬编码,但是仍有7.5%的app不具备编译程序保护(例如PIE),仅有15%的app具备实时越狱保护,提示用户在越狱的情况下使用该app将面临风险。

Sanchez总结道,尽管大部分的手机app都在不断升级,努力让用户免受MitM的攻击,而且从整体上来看,易受特定病毒攻击的手机app相比于2013年已经有所减少,但是身份认证方法和app的整体安全性却未能得到大程度的改善。

Sanchez表示:“手机银行app在安全性方面已经有了很大的提高,但是,他们还需不断努力寻找出更新更好的解决办法,让每一位客户的数据信息都得到安全保障。关键在于他们需要认识到手机银行app的安全性是一个商业问题而非技术问题。”

读者可前往IOActive博客查看Sanchez的2013年及2015年的调查结果完整版。

Despite some improvements to the security of mobile banking apps over the last two years, research has shown that a significant percentage still leave customer information exposed.Mobile banking apps still fail to sufficiently protect customer information, with significant numbers still containing non-SSL links that send information unencrypted, a researcher from security firm IOActive has found.

Security researcher Ariel Sanchez discovered in 2013 that 90 per cent of apps contained non-SSL links throughout, which attackers could use to intercept traffic as well as to insert scams like fake login prompts that allowed them to steal credentials.

Running the same tests two years after the initial research was conducted showed an improvement, with only 35 per cent of apps demonstrating the same vulnerability in 2015.

30 per cent also did not validate incoming data in 2015, meaning that in total 12.5 per cent of mobile banking apps are vulnerable to man in the middle (MitM) attacks with users exposed to fraud and account hijacking.

Sanchez said that “while overall security has increased over the two-year period, it is not enough, and many apps remain vulnerable”.

In 2013, Sanchez discovered that 50 per cent of all mobile banking apps were vulnerable to JavaScript injections.

Two years later, in 2015, 30 per cent were still vulnerable to the same flaw, allowing client-side attacks due to exposed native iOS functionality enabling remote attackers to send SMSes or emails from victim devices.

Sanchez’s 2013 research also found that 70 per cent of mobile banking apps did not require any form of alternative or multifactor authentication solutions.

His latest findings show that this has not improved significantly over the last two years, as 42.5 per cent of apps still remain without any additional authentication measures.

Although the majority of apps were guilty of this in 2013, 40 per cent of apps still leaked information about user activity and client-server interactions through system or custom logs such as crash reports, which attackers can use to develop zero-day exploits with the intention of targeting users.

Another flaw discovered by Sanchez in 2013 was that one in five sent account activation codes through plain-text communication (HTTP) links, giving attackers a foothold to intercept traffic, hijack sessions and steal account information.

While this no longer appears to be the case, 15 per cent still currently stored unencrypted and sensitive information, such as details about customers’ banking accounts and transaction history, in plain text within the device’s file system.

Furthermore, 17.5 per cent currently had development or hardcoded information in their binary files, 7.5 per cent still did not have compiler protections such as PIE enabled and only 15 per cent had jailbreak protection in place to detect jailbroken devices and alert users to the dangers of using the app within this context.

Sanchez concluded that while most apps had improved their efforts to protect users from MitM attacks and overall numbers of apps subject to certain flaws had decreased, the lack of authentication measures and overall security had not improved sufficiently since 2013.

“There has been a significant improvement in the state of security in banking apps, but they still need to keep working on new and better solutions to keep the data safe of each customer,” Sanchez told Motherboard.

“The key is understanding that security is a business issue rather than an IT issue.”

Sanchez’s full 2013 and 2015 findings can be accessed via the IOActive blog.


用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

熊珊 | 未央团队未央编辑团队

150
总文章数

TA还没写个人介绍。。。

物联网兴起的背后,危机重重?

刘敏 | 亿欧 09-24

数据:64家百亿平台特征及安全分析

一颗板栗 06-21

比特币钱包就一定比银行账户安全吗?

王超 | 中国电子银... 04-18

警惕!手机银行APP存在这些高危漏洞

泰尔终端实... 03-16

金融科技发展不能以牺牲安全为代价

郝东林 01-18

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1