Articles & Presentations

Friday, June 3, 2011

Hacker Hurricane discovers Credit Union iPhone and Android app flaw

Part 1 of 2



I recently discovered that my Credit Union iPhone and Android application contains what I feel is a typical bonehead developer design flaw. Yes, smartphones can quickly become vulnerable by inadequate security requirements and poor developers not using a good Information Security professional to review the design, requirements and completed project.

Unfortunately this flaw is not unique among smartphone applications. I am sure, like most companies trying to capitalize on the smartphone market, they probably outsourced the application to what they thought was a company that advertised they would develop a 'secure' application.

Not knowing anything about the developers or the team at RBFCU that led the effort, I can only assume what they decided were the minimum security requirements, one for sure that should have been on their list, clearly was not and thus this article and my communications with the Credit Union.

This flaw had me digging into my iPhone application directory (iTunes\iTunes Media\Mobile Applications) expanding the package (ipa) looking for what the application stored in the clear versus hashing. I easily found my email address in the clear, not part of the login, but still, why store this in the application package if it doesn't use it? hmmm.

What I was looking for was my account number that I found the developers store on the device in an improper way, yes IMHO. Even after you uninstall the application it is stored. And yes, even after you sync up with your PC you would think the account number would be deleted. What was worse is after I deleted everything and recently had to restore my iPhone did I find the app still knew my account number? WTF I deleted the application????

To coin a phrase my local InfoSec pro over at The Denim Group says.. 'SmartPhone, Dumb Apps'. Dan couldn't have been more on target with that phrase and lucky him the domain name too... 'Dot Com'.

We want our SmartPhones to be smart, but developers and/or the companies outsourcing development of these applications need to understand some basic secure smartphone application development requirements and good smartphone secure development.

1. Give me a choice to remember the key account or login information. For a bank or credit union it is the account number. for the IRS it is your SSN (Really IRS you want me to save my SSN on my smart.. Err dumb phone? Really? No, REALLY?? If my login is generic like my email, that might be fine, but really... Ask the user what they want to do. And if I have to tell you this also applies to the password, your developers should be fired quite frankly.

2. When developing an application, do not backup the credentials as a part of the application payload. When developers do this our credentials are now in two places and as a security dude, the less places the credentials are stored the better. Not backing up credentials also takes away the need to back them up in a secure way where many are stored in the clear or in a potentially insecure way. Storing a backup of smartphone credentials makes it easy for a compromised PC or MAC to give up smartphone credentials, which most of time is the same credentials you use on your PC or Mac.

3. If an application is uninstalled or deleted, for crying out loud delete the credentials.. All of them... If you don't back them up, then a deleting the app from your phone should be all a user needs to do as many of us don't sync all that often. There is just no reason to store the credentials for any application that is not regularly accessed. Apps like LastPass, Keeper, Password Safe, etc. Are where we should be keeping login credentials to critical items like our Internet presence login and passwords.

4. Users need help from themselves. Yes I know you want to make e app easy to use for the user of the device, but most of us can remember our login if it is not our email address... If you feel the need, then make a recommendation for the user to download a free password store like Keeper to store the unique username/account and password. Really it is pretty easy and just a habit the user should learn and know for applications like financial, health and anything the user feels is something they really want to protect

To be continued...

Dan's Smartphone dumb app Blog

#InfoSec #RBFCU #iPhone #App