Security Analysis of Mobile Banking Apps

Abstract

Nowadays, mobile banking services provide a convenient way to access one’s bank account everywhere, at any time and from any mobile device. However, there is less knowledge about the security mechanisms offered by mobile banking apps in order to protect the user against malicious entities. In this Bachelor Thesis, we therefore provide the first in-depth security analysis of up-to-date mobile banking apps based on a sample of 11 banking apps selected from the Google Playstore.

Thereby, we leverage reverse engineering, as well as static and dynamic analysis tools, in order to investigate the attack surface and attack vectors resulting from the structure, application components and network communication. We especially present vulnerabilities exploitable by a malicious app via on-device attacks, caused by insecure IPC endpoints and missing input sanitization. Furthermore, critical pishing and MITM scenarios based on unencrypted HTTP traffic are outlined.

Finally, we show the insufficient deployment of obfuscation and certificate pinning and conclude with an outlook on mobile banking security, amongst others w.r.t. mobile specific TAN procedures.

Recommended citation: Schwarz, Fabian Frank, "Security Analysis of Mobile Banking Apps". Bachelor Thesis. Saarland University. 2015