Wells Fargo, BoA Cited For Lax Mobile App Security

Days after publishing a report on serious security lapses in the PayPal mobile payments application for the iPhone, a Chicago firm has released an analysis that finds similar problems in a mobile banking applications by Bank of America and Wells Fargo.

Days after publishing a report on serious security lapses in the PayPal mobile payments application for the iPhone, a Chicago firm has released an analysis that finds similar problems in a mobile banking applications by Bank of America and Wells Fargo.

The report, published on Thursday by ViaForensics, surveys mobile banking applications for a range of institutions and for both the iPhone and Android platforms. While most passed muster with the firm, the analysis by the company’s AppWatchdog platform found a number of flaws in Wells Fargo’s banking application for the Android platform. They include insecurely stored login information as well as insecure application data – a broad category that could include account numbers, balances and transfer information or user data. Bank of America’s application for Android was also found to store application data insecurely. 

ViaForensics provides security analysis and testing services for software development firms, including those developing products for mobile applications. The firm’s discovery of security holes in the PayPal application for iPhone prompted a patch for that application. The flaws were reported in the Wall Street Journal just days after ViaForensics disclosed them to the vendor – a breach of so-called “responsible disclosure” policies that ViaForensics said was necessary to protect mobile application users.

In the expanded report, published late Thursday, the firm analyzed mobile applications from USAA, Bank of America, Chase, TD Ameritrade, Vanguard and Wells Fargo. Most of the applications that were studied passed the ViaForensics’ tests with flying colors. TD Ameritrade’s applications were cited for insecure storage of a customer user name. ViaForensics co-founder Andrew Hoog said that, in itself, didn’t constitute a security vulnerability but it could used by attackers. “We consider it important. It’s a piece of the puzzle,” Hoog said.

In the case of the Wells Fargo and Bank of America applications for Android phones, however, the findings were more serious. 

In an interview with Threatpost on Thursday, ViaForensics co-founder Andrew Hoog said that his firm was doing the research as a public service. The analysis focused on two main areas: secure storage of data on the devices and secure storage of transmission of user authentication data like user names and passwords. 

 

host of issues: what our public service – app watchdog. really try to highlight three main areas: do these apps securely store data on device? do they securely store or transmit user name? do they securely store/transmit your password? security testing diff and expensive. a whole bunch more testing we can do.
help during dev stages to secure apps. appsecure. in working with them. take top 3 plus 15 or 18 diff and help protect data. 
caching, encryption and secure transmitting. 
there are other issues that we highlighted: stores app data on device and user name: defining each of those categories. so that they explicitly tell people what talking about here. if uid stored without any encyrption or obfuscation on device. we consider an issue. important piece of puzzle. not game ender. are apps that log in securely – when come back. are you Paul****? are companies that have securely implemented tests. is possible and if companies not do that, we flag that. we bleieve in ethical disclosure policy. work with vendors. paypal contacted ahead of time. provided detailed explanation. recreate test. ppl at risk: end users. viaforensics put users at risk. are there actions users can take to mitigate: stop using paypal app – log into computer or whatever. stop using until paypapl patches. wok with vendors and sislcose. think risk sig. and happen now. we inform users. happen now. simple to do that. 

 

Hoog said that the rush to develop applications for hot mobile platforms like iPhone and Android is causing many, otherwise security-conscious firms to give short shrift to testing and quality assurance that could spot vulnerabilities or lax data security. 

In cases where applications have serious security vulnerabilities, as with those identified in the PayPal and Wells Fargo applications, Hoog said that customers should simply stop using those applications until patches are issued by the vendors. 

The larger fix, however, will have to come during the design, development and testing phases for mobile applications – not all of which require a ground up redesign of the applications in question. 

“Some of the changes that are needed are significant, ground up changes to the applications. But there are also quicker fixes that can be rolled out quickly,” he said. 

Suggested articles