Why banker Bob (still) can’t get TLS right: A Security Analysis of TLS in Leading UK Banking Apps

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Authors

Colleges, School and Institutes

External organisations

  • University of Birmingham

Abstract

This paper presents a security review of the mobile apps provided by the UK’s leading banks; we focus on the connections the apps make, and the way in which TLS is used. We apply existing TLS testing methods to the apps which only find errors in legacy apps. We then go on to look at extensions of these methods and find five of the apps have serious vulnerabilities. In particular, we find that two apps pin a TLS root CA certificate, but do not verify the hostname. In this case, the use of certificate pinning means that all existing test methods would miss detecting the hostname verification flaw. We find that three apps load adverts over insecure connections, which could be exploited for in-app phishing attacks. Some of the apps used the users’ PIN as authentication, for which PCI guidelines require extra security, so these apps use an additional cryptographic protocol; we study the underlying protocol of one banking app in detail and show that it provides little additional protection, meaning that an active man-in-the-middle attacker can retrieve the user’s credentials, login to the bank and perform every operation the legitimate user could.

Details

Original languageEnglish
Title of host publicationFinancial Cryptography and Data Security
Subtitle of host publication21st International Conference, FC 2017, Sliema, Malta, April 3-7, 2017, Revised Selected Papers
EditorsAggelos Kiayias
Publication statusE-pub ahead of print - 23 Dec 2017
Event21st International Conference on Financial Cryptography and Data Security (FC 2017) - Sliema, Malta
Duration: 3 Apr 20177 Apr 2017

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume10322
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference21st International Conference on Financial Cryptography and Data Security (FC 2017)
CountryMalta
CitySliema
Period3/04/177/04/17