Banking apps (and one VPN) hit by worrying security flaw

Security researchers have found that some major UK and US banks had vulnerabilities in their mobile apps which potentially allowed malicious parties to steal login credentials, although these holes have apparently now been patched.

Researchers from the computer science department of the University of Birmingham in the UK found that banks including HSBC – and also a VPN provider, TunnelBear – had flaws in their iOS and Android apps which allowed for so-called ‘man in the middle’ attacks to take place.

The issue pertained to the way that the apps conduct ‘certificate pinning’, which allows the software to specify a certain certificate that is trusted for a given server. The vulnerability was in the implementation of certificate pinning and verification used when creating a TLS connection, Threatpost explains.

The result being that it was possible to spoof said certificate and therefore pull off a ‘man in the middle’ attack, in which the malicious party can then obtain the victim’s login details.

Critical compromises

This is obviously particularly critical when it comes to online banking, and the affected apps included a whole range of HSBC apps (including the basic HSBC app, and HSBC Business app), along with Bank of America Health, Meezan Bank, and Smile Bank.

It’s also worrying that a VPN provider could have a hole in its software, too, considering Virtual Private Networks are all about making the internet a more secure and private place for users.

According to the report, all the banks have fixed the relevant vulnerabilities in their apps, but it just goes to show you that even software which really should be ultra-secure can still have holes in it.

While TunnelBear isn’t mentioned, presumably the provider has implemented a fix as well, you would hope.

The researchers concluded: “Clearly, the abundance of pinning implementation options available to developers has played a role in causing these flaws to be made. Platform providers can make this less of an issue by providing standardised implementations with clear documentation. To this end, Google have introduced Network Security Configuration in the Android 7.0 SDK.

“If app developers make use of these standard implementations, instead of rolling out their own or using 3rd party libraries, these errors will be much less likely to occur.”

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).