Research being undertaken at the University of Birmingham’s School of Computer Science revealed that banks including HSBC and VPN provider Tunnelbear had flaws in their iOS and Android apps.
These flaws apparently allowed “man in the middle” attacks to take place, meaning that malicious parties could potentially steal customer information and view and manipulate network traffic.
The affected apps conduct a process called “certificate pinning”, in which they specify a certain certificate which is trusted for a particular server. The flaw occurred in the implementation of certificate pinning and verification used when creating a Transport Layer Security (TLS) connection.
Outlining their findings at the Annual Computer Security Applications Conference in Orlando, Florida, Chris Stone, Tom Chothia and Flavio Garcia wrote:
This paper shows that certificate pinning can (and often does) hide the lack of proper hostname verification, enabling MITM attacks.
The report then specified that apps failed to verify hostnames correctly when ceritificate pinning include the apps for Bank of America Health, TunnelBear VPN, Meezan Bank, Smile Bank, HSBC, HSBC Business, HSBC Identity, HSBCnet and HSBC Private. The report did, however, state that the processes described above are necessarily difficult to implement:
TLS is a tricky protocol to get right: both misconfiguration vulnerabilities and attacks on the protocol are common.
Automated tools do exist to test a variety of TLS flaws. However, none of these tools can detect the possibility that an app will pin to the root or intermediate certificate used but fail to validate the hostname… We argue that conducting large-scale testing in this manner is difficult and expensive.
The report said that all banks had been notified, and that they had all gone on to patch this flaw. While the VPN provider was not mentioned, it’s to be assumed that the same is the case.
In an effort to avoid flaws like these in future, the researchers have released a free automated testing tool called Spinner. This allows for more thorough testing of mobile apps and specifically of their hostname verification methods.
Let’s hope that this helps app developers step up their game and avoid flaws like this in future.