So how secure is my mobile banking app?

 

 

inspiration from (http://www.infosightinc.com/IT-Security/data_loss_prevention.php)

Overall the applications did secure the users PII, but there was some data leakage that gave me information about the user and their transaction history. However, it’s important to note that user’s financial information and personal identifiable information is secure when using the applications. 

 How do I know?

Well, by monitoring the data sent over the network using an Arp spoof attack.  I wasn’t able to see financial information sent that has been over the network.  By using WireShark to capture the packets sent over the network, I was only able to confirm that the applications are using port 443 to send data over the network.  I was also able to confirm that apps are using certifications like VeriSign to ensure authorization when the users logs into the application. Using Paraben’s Device seizure to view the data stored on the devices, I was able to see that data stored didn’t contain any financial information or Personal Identifiable information (PII). However, depending upon the application, data that contained user information, card description, and transaction information was stored on the device. Some information was encrypted and some information was stored in plaintext. 

Data stored on the device

Using Paraben’s Device seizure, I was able to acquire data stored on the device by the apps. The apps encrypted or hashed the data on the device. Applications such as Lemon Wallets, Venmo and Paypal for android devices stored user information in plaint text. User information such as email address, transaction history, geo-location, card type, and date of birth is stored on the device.  An example of what is stored on the device is shown below. 

 

One of the files that Lemon Wallets stored on the device is data about the users profile . This data was located in the apps SQLite database. In the Sqlite database, other information about the user was stored such as transaction data and card description. Lemon Wallets stores the user digital copies of their card on the device, but the digital copies are encrypted. Like lemon wallets, user information can be seen for Venmo and the PayPal app for android as well. 

The Next Step: Arp Spoofing with Cain and Abel (a tutorial)

Cain and Abel

The next step I did in my project was to find a tool that allows me to do an arp spoof of the device, so that I can monitor the traffic from and to the device. Arp spoof allows me to monitor the device by having the traffic from and to the mobile device pass through my laptop before it reaches its destination.  In this post, I am going to give a tutorial on how to use Cain and Abel before I share my results. This post will serve as a helper to users who don’t know how to arp spoof using this tool. This post begins on the assumption that you have already downloaded the tool (the tool can be found at http://www.oxid.it/cain.html)

Before you can arp spoof with this tool you have to configure the tool to the network that your device is on (Please note that the target device and the device you are using have to be on the same network).

The tool is configured once you have clicked ok. Next, we have to start the sniffer so that the tool can populate all the hosts on the network in a list. To do this, click on the sniffer tab and then click on the “start/stop sniffer” in the toolbar. After that click on the blue cross to add hosts to the list.

A new dialog box should open. Once the dialog box opens make sure “all my hosts in my subnet” is checked and then press OK.  The tool will add all the hosts on the network at the time.  Make sure the target device that you are looking for is in the list before you start arp spoofing. Once you have verified that the target device Is on the network you can start the next step, arp spoofing the device.

On the bottom toolbar, there is a yellow icon called APR, click on this icon. Once the icon is clicked a new tab will show. Next click on the blue cross to add a new “arp Poisoning router” to the list, once you click on the blue cross a window will open.

for this project, before I started arp spoofing my target device, I set up a WireShark capture so that I could monitor the data from the arp spoof. Once WireShark was set up, I poisoned the device and then filtered the packets captured in WireShark by the IP address of the target device that I was currently arp spoofing. for the results i got from Arp spoofing my device, please look for my next blog post.

Progress Report

While working on this project, I  came across several obstacles. These obstacles were difficult and challenging to overcome but with dedication and hard work (also knowing when to ask for help) I was able to overcome these obstacles.

The first obstacle I had was when I tried to capture the traffic from the target devices. While trying to capture the traffic, I was unable to see the traffic from my target IP address in WireShark. Through research and discussing the problem in class, I was able to try two different ideas. The first Idea was to make a hot spot and the second idea was to do an arp spoof attack. Using Cain and abel, I was able to try the arp spoof attack and see traffic from my target devices.

(http://www.windowsecurity.com/articles-tutorials/intrusion_detection/Tools-Trade-revisited-Part3.html)

Another obstacle that I ran into while working on this project, was trying to get SSL strip to work. This obstacle was really challenging for me but I was able to overcome the issue by putting in time and again asking for help when I no longer knew how to solve the issue. Once i brainstormed the issue and sought out help , it turns out that the SSL strip didn’t work because I did the attack in a VM (Virtual Machine) instead of a computer with a Linux OS (Operating system).

(http://www.thoughtcrime.org/software/sslstrip/)

Thankfully I was able to overcome these obstacles and continue with this project. In the future, I will post another progress report and more posts of the steps I have taken so far. If you have any questions please comment!

The Next Step: SSl Strip

Looking at the results from the arp spoof, I noticed that the app uses SSL protocol when sending traffic over the network.  In order to see if the app is really utilizing the SSL protocol in a secure way that protects the user’s passwords, I decided to do a SSL strip attack.

How does SSL Strip works?

When SSL stip is used, the app is trying to take a secure connection and strip the connection so it is unsecure. This is done by a redirect that the connection makes in order to change from an unsecure connection to a secure connection.

In the first diagram above the http connection is redirected to an https connection (an unsecured connection is redirected to a secure connection). In the second diagram, once the SSL strip attack is working, the http connection tries to redirect to a secure connection but the attack stops the redirect to connect back to an unsecured connection.

Results from SSL Strip

When running SSL strip against the apps (Bank of America, Mint, Paypal, Venmo, and Lemon Wallets), I wasn’t able to get data from the attack. Nothing was logged in the files, this means that the app connects directly to a https connection. However, i was able to get data when I ran the SSL strip attack against the apps that are also web based. I was able to see the passwords, usernames, and security questions.

Android Device

When looking at the logs from the SSL strip attack on the Android, I was able to see the passwords and user name for www.mint.com

I was also able to see the security question and access ID for Bank of America website.

I wasn’t able to get the password from Bank of America website because the website only allows the user to enter in a password once the security question and username is confirmed. For this attack, I entered fake usernames and security question answers.

IOS device

When looking at the logs for the IOS device, I was able to see the password and username for www.paypal.com.

I was also able to the username and password for www.mint.com

The next step: Arp spoofing

The next step in this project was to monitor the packets sent over the network from the android and IOS devices.  In order for me to see the packets that were sent over the network, I set up an arp spoof attack using Cain and Abel.

I chose to use an arp spoof attack because when trying to capture the packets over the network with wireShark I wasn’t able to see traffic from my devices.  To overcome this, I did an arp spoof attack on the devices using cain and abel.

Fig. 1 shows what an arp spoof with cain and abel looks like.

While running the arp spoof with cain and abel, I was also capturing the packets that was sent over the network using wire shark.  The traffic from the devices was now visible on wire shark because I did an arp spoof on the devices while monitoring the network.

Fig. 2

Wireshark was able to get a lot of traffic from the android and IOS devices, but to make sifting through the data collected from the network easier I used a tool called Network miner. Using this tool I was able to analyze the data and see the files that were sent over the network.

Using network miner, I was able to look at the data captured with wireshark. When looking at the data I noticed that the data from the app (in this case Bank of america’s app) was sent through port 443 (Red Rectangle), through an SSL protocol (Blue rectangle).

I also noticed that the data from bank of America was sent using the DNS mservice.ecglb.bac.com. This is shown in the orange square in the figure below.

Fig.3

I also noticed that the Bank of America app requests certificates to authenticate when the user signs in. the app asks for Verisign class 3 certificate and theguzoni.apple.com certificate.

fig.4

The network miner tool allows you to view the certificate of that was sent to the host in a new window. From this I was able to see details about the certificate that was sent. Below is a picture of the Verisign and guzzoni certificate.

fig. 5 Certificate for guzzoni

fig. 6 certificate for Verisign

Is your mobile Banking/ Payment app secured?

As users of mobile payment apps rises, users become more concerned about security of the apps.  87% of users, who use mobile banking through their device, used their phones to check their balances or recent transactions. 21% percent of mobile bank users have used their phone to deposit checks (http://www.americanbanker.com/issues/178_63/mobile-banking-usage-rises-but-so-do-security-concerns-survey-1057989-1.html ) According to these figures, a significant amount of users are using the mobile payment/banking apps to check to view their financial information.

With the increase in the use of mobile payment apps, the users concerns about security have also increased.   According to the article From “Mobile Banking Usage Rises, But So Do Security Concerns: Survey” by Brian Browdie, “The share of consumers who say banks’ mobile apps are “very safe” or “somewhat safe” fell to 38% from 42%, while the percentage who say they don’t know how safe it is to bank via a mobile browser rose to 36% from 30%.”(http://www.americanbanker.com/issues/178_63/mobile-banking-usage-rises-but-so-do-security-concerns-survey-1057989-1.html)  As a fellow user of mobile payment/banking apps, I also wonder about the security of my financial information when I use the mobile banking app.

My curiosity of the subject matter has brought me to this project. In this project I will compare the security of the following apps:

( http://techcrunch.com/2012/06/05/venmo/ )

• Venmo – is a service that makes it easy, safe, and fun to pay your friends. Venmo’s iPhone and Android apps allow you to make and share payments with friends for rent, utilities, dinner, drinks, movies, concert tickets, birthdays, laughs, and anything else. Paying with your debit card or bank account is free, and you can transfer money from your Venmo account balance to your bank account overnight. (http://techcrunch.com/2012/06/05/venmo/)

( http://www.droidforums.net/forum/android-news/151229-bank-america-mobile-app-vastly-improved.html )

• Bank of America – Bank on your schedule: access your Bank of America accounts right from your mobile device. Deposit a check, pay bills, transfer money and see your transaction history whether you’re at home or on the go. Look up your balance or BankAmeriDeals® anytime, even when you’re standing in the checkout line. (https://www.bankofamerica.com/online-banking/mobile.go)

(http://www.ourtuts.com/great-free-apps-for-bloggers-with-mobile-devices-android-and-ios/)

• Paypal Mobile app – Your account is in your hands. Track your balance with instant updates, choose how to pay, or send money to a friend for free. (https://www.paypal.com/webapps/mpp/mobile-apps)

When comparing the security of each app I will look at the following:

• How the apps handle Passwords and usernames (If they are hashed or encrypted)
• If the financial information that is passed over the network is secured
• If account numbers and usernames are stored on the device
• If app that allow check deposits have images of the check stored on the device
• The security settings within the app (e.g. if the app times out when inactive etc.)

Over the course of the next few months I will be working on this project and comparing the security of each app mention before. i will use the forensic tool Paraben Device seizure and Wireshark to forensically analyse the apps. I will keep this blog updated with my findings and with the next steps I will take in my project, please feel free to comment with any questions!