Days after publishing a report on serious security lapses in the PayPal mobile payments application for the iPhone, a Chicago firm has released an analysis that finds similar problems in a mobile banking applications by Bank of America and Wells Fargo.
The report, published on Thursday by ViaForensics, surveys mobile banking applications for a range of institutions and for both the iPhone and Android platforms. While most passed muster with the firm, the analysis by the company’s AppWatchdog platform found a number of flaws in Wells Fargo’s banking application for the Android platform. They include insecurely stored login information as well as insecure application data – a broad category that could include account numbers, balances and transfer information or user data. Bank of America’s application for Android was also found to store application data insecurely.
ViaForensics provides security analysis and testing services for software development firms, including those developing products for mobile applications. The firm’s discovery of security holes in the PayPal application for iPhone prompted a patch for that application. The flaws were reported in the Wall Street Journal just days after ViaForensics disclosed them to the vendor – a breach of so-called “responsible disclosure” policies that ViaForensics said was necessary to protect mobile application users.
In the expanded report, published late Thursday, the firm analyzed mobile applications from USAA, Bank of America, Chase, TD Ameritrade, Vanguard and Wells Fargo. Most of the applications that were studied passed the ViaForensics’ tests with flying colors. TD Ameritrade’s applications were cited for insecure storage of a customer user name. ViaForensics co-founder Andrew Hoog said that, in itself, didn’t constitute a security vulnerability but it could used by attackers. “We consider it important. It’s a piece of the puzzle,” Hoog said.
In the case of the Wells Fargo and Bank of America applications for Android phones, however, the findings were more serious.
In an interview with Threatpost on Thursday, ViaForensics co-founder Andrew Hoog said that his firm was doing the research as a public service. The analysis focused on two main areas: secure storage of data on the devices and secure storage of transmission of user authentication data like user names and passwords.
Hoog said that the rush to develop applications for hot mobile platforms like iPhone and Android is causing many, otherwise security-conscious firms to give short shrift to testing and quality assurance that could spot vulnerabilities or lax data security.
In cases where applications have serious security vulnerabilities, as with those identified in the PayPal and Wells Fargo applications, Hoog said that customers should simply stop using those applications until patches are issued by the vendors.
The larger fix, however, will have to come during the design, development and testing phases for mobile applications – not all of which require a ground up redesign of the applications in question.
“Some of the changes that are needed are significant, ground up changes to the applications. But there are also quicker fixes that can be rolled out quickly,” he said.