PaulDotCom mailing list archives
Re: how secure is iOS mobile banking (compared with web browser on Desktop)
From: Todd Haverkos <infosec () haverkos com>
Date: Mon, 19 Dec 2011 14:14:47 -0600
Alex Kornilov <alex.kornilov3 () mail ru> writes:
Hi Most banks offer iPhone apps for online banking. Is that secure? Should I stay with Desktop version? Are there drawbacks in security comparing to Desktop? Alex
It's an interesting question and probably one ripe for debate. It depends: how sure are you that your desktop isn't compromised? Have you kept up to date with third party browser plugins? If you visit http://www.mozilla.org/en-US/plugincheck/ today, are you staring at anything red? If so, there's lots to fear on the desktop with the wide prevalence of banking credential stealing malware such as Zeus bot, and you may actually be safer with an iPhone banking app. If you're "very sure" about the security of your desktop OS (which means you painstakingly monitor every release of every web browser plugin you run, run a web proxy or web filtering software, updated AV and stay on top of all desktop OS updates religiously, and you don't have an itchy clicking finger to websites asking you to run signed java applets, and better still you have a separate machine dedicated just to banking on which you do NO surfing, tweeting, IMing or the like) then generally speaking, yes, I wager most would argue in favor of sticking with a Desktop version is a good general rule, mostly owing to the better maturity of the desktop OS's and that the banking application runs in what's probably a rather well vetted web browser in broad deployment. Perhaps the banking website itself as a standard web app has had more than a few third party penetration tests from testers that understand standard financial web applications pretty well. On the mobile end--it's a very immature space and a space that's rife with some pretty awful and insecure implementations of apps, and comparatively fewer app testers who know how thoroughly test such apps. Another question is especially if you're an Android user, becomes "how sure are you that your phone isn't compromised." There, the dearth of quality security tools (most AV for phones is so bad that they make desktop AV look nearly useful), the prevalence of new and interesting ways to get malware onto an Android phone, the lack of formal review of Android software before it goes into Marketplace, and what can get past Apple (Charlie Miller proved this point rather well), make the simple question of "is my phone clean?" a hard one to answer. But one might argue that there's much less confirmed malware targeting banking apps on the mobile platforms, and of that, the odds of any one being able to go after _your_ bank's mobile app format to steal money from you is likely to be slimmer than the desktop threat. So, for now, I think the mix that more people should consider is: a) dedicated PC (or virtual machine on a pristine host OS) for online banking, b) surfing on another PC or virtual machine, and c) treat the phone as a toy rather than a place to keep banking credentials. Here are some stories from the past year that helped for these thoughts: Desktop banking worries: http://krebsonsecurity.com/2011/10/monster-spam-campaigns-lead-to-cyberheists/#more-11607 http://www.esecurityplanet.com/hackers/zeus-still-wants-your-wallet-.html Android woes: http://www.zdnet.com/blog/security/popular-free-antivirus-apps-for-android-fail-anti-malware-tests/9830 http://www.theregister.co.uk/2011/09/14/spyeye_targets_android_phones/ Researcher gets arbitrary code running app approved in App Store: http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/ Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- how secure is iOS mobile banking (compared with web browser on Desktop) Alex Kornilov (Dec 19)
- Re: how secure is iOS mobile banking (compared with web browser on Desktop) Todd Haverkos (Dec 19)