Why banker Bob (still) can’t get TLS right: A Security Analysis of TLS in Leading UK Banking Apps

Tom Chothia, Flavio Garcia, Chris Heppel, Christopher McMahon Stone

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)
359 Downloads (Pure)

Abstract

This paper presents a security review of the mobile apps provided by the UK’s leading banks; we focus on the connections the apps make, and the way in which TLS is used. We apply existing TLS testing methods to the apps which only find errors in legacy apps. We then go on to look at extensions of these methods and find five of the apps have serious vulnerabilities. In particular, we find that two apps pin a TLS root CA certificate, but do not verify the hostname. In this case, the use of certificate pinning means that all existing test methods would miss detecting the hostname verification flaw. We find that three apps load adverts over insecure connections, which could be exploited for in-app phishing attacks. Some of the apps used the users’ PIN as authentication, for which PCI guidelines require extra security, so these apps use an additional cryptographic protocol; we study the underlying protocol of one banking app in detail and show that it provides little additional protection, meaning that an active man-in-the-middle attacker can retrieve the user’s credentials, login to the bank and perform every operation the legitimate user could.
Original languageEnglish
Title of host publicationFinancial Cryptography and Data Security
Subtitle of host publication21st International Conference, FC 2017, Sliema, Malta, April 3-7, 2017, Revised Selected Papers
EditorsAggelos Kiayias
PublisherSpringer
Pages579-597
Number of pages18
ISBN (Electronic)9783319709727
ISBN (Print)9783319709710
DOIs
Publication statusE-pub ahead of print - 23 Dec 2017
Event21st International Conference on Financial Cryptography and Data Security (FC 2017) - Sliema, Malta
Duration: 3 Apr 20177 Apr 2017

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume10322
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference21st International Conference on Financial Cryptography and Data Security (FC 2017)
Country/TerritoryMalta
CitySliema
Period3/04/177/04/17

Fingerprint

Dive into the research topics of 'Why banker Bob (still) can’t get TLS right: A Security Analysis of TLS in Leading UK Banking Apps'. Together they form a unique fingerprint.

Cite this