Wednesday, February 9, 2011
(W) Warning mobile phone users
It seems many developers of mobile apps are not following best practice of securing your user information... Like banks.
Master card recently published some info about their API that clearly shows they store your username and passwords on your mobile phone.
Why should you care? Well because what if you lost your phone or iPad? Your information may be stored in such a way that a person can obtain it fairly easily...
Why do they need to store this information? Ease of use is what they will tell you. In reality you can store information on a device securely and still have ease of use, the developers just refuse to practice this art of coding, not because it is hard, but most likely because it is fast, easier and they may not care about security or think you don't.
I can tell you that Malware is coming to your mobile device and if these financial institutions don't care, you should. Would you feel OK about giving a stranger your Bank Account number? Why not? (assuming it was NO Fin WAY). Apps that store usernames and passwords should do so in a secure fashion and they don't.
I have seen Dan Cornell from Denim discuss iPhones, Eric Monti with Trustwave Spiderlabs also discuss iPhones and MJ Keith discuss Droids and I can tell you that simple code can sniff off what is coming and going or stored on your phone if the developers have not done it well and securely. Worse.. It is fairly easy...
I discovered my Bank stores my account number on my phone and so I did a test to get rid of it... I deleted the App, did a hard reset and reinstalled the App... My account number was still in the login field. But I uninstalled the app and revolted the device????
Clearly the developers did NOT do it correctly. I will write more as I investigate this and see how vulnerable my Bank App is and what they say when I call them.