Most iPhone banking apps vulnerable to hacking

iphone
iPhone banking apps can be easy to crack for info

A report from security assessment firm IOActive suggests that most mobile banking apps for iPhone and iPad are full of flaws.

IOActive researcher Ariel Sanchez recently studied the security features of 40 mobile banking apps for iOS, including the apps used by some of the world's leading financial institutions.

All of the apps that Sanchez tested could be installed and run on jailbroken devices, which have been modified by the user to accept apps unauthorized by Apple. Running an app on a jailbroken device lets attackers circumvent the security features built into iOS and access the restricted resources of other apps on a user's device.

In an IOActive blog post outlining his research, Sanchez noted that 40 per cent of the apps tested had compromised transport mechanisms and 90 per cent had non-SSL links. This leaves app users susceptible to 'man-in-the-middle' attacks. In such attacks, users may be redirected to malicious sites where their login information can be stolen.

Attacks at the coffee shop?

These attacks are more likely to happen on untrusted networks like WiFi hotspots, which makes mobile banking from public locations like coffee shops less of a convenience and more of a nightmare waiting to happen.

In his blog post, Sanchez notes that phishing attacks that utilize cross-site scripting have become very popular lately, often resulting in the theft of a victim's login credentials. In a typical attack, the user might be asked to re-enter his or her username and password "because the online banking session has expired." Such an attack can give cybercriminals full access to a customer's bank accounts.

Sanchez offered some recommendations for developers of mobile banking apps to consider in the future. These include tightening the security of transfer protocols for all connections made, enforcing SSL certificate checks by the client application, encrypting data using iOS's own data protection and removing all development code from the released application.

Latest in Security
A computer file surrounded by red laser beams
Free online file converters could infect your PC with malware, FBI warns
Close up of a person touching an email icon.
Criminals are using CSS to get around filters and track email usage
DeepSeek on a mobile phone
More US government departments ban controversial AI model DeepSeek
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
NordProtect logo
Standalone identity theft protection from Nord Security is now available
Latest in News
Perplexity Squid Game Ad
New ad declares Squid Game's real winner is Perplexity AI
Pedro Pascal in Apple's Someday ad promoting the AirPods 4 with Active Noise Cancellation.
Pedro Pascal cures his heartbreak thanks to AirPods 4 (and the power of dance) in this new ad
Frank Grimes confronts Homer Simpson in The Simpsons' Homer's Enemy episode
Disney+ adds a new continuous Simpsons stream, so you no longer have to spend ages choosing an episode
Helly and Mark standing on an artificial hill surrounded by goats in Severance season 2 episode 3
New Apple teaser for Severance season 2 finale suggests we might finally find out what Lumon is doing with those goats, and I don't think it's anything good
Nvidia GR00T N1 humanoid robot
Nvidia is dreaming of trillion-dollar datacentres with millions of GPUs and I can't wait to live in the Omniverse
Foldable iPhone
Apple’s first foldable iPhone could beat the Samsung Galaxy Z Fold 7 in one key way