Re: how secure is iOS mobile banking (compared with web browser on Desktop)

[Todd Haverkos <infosec () haverkos com>]

Alex Kornilov <alex.kornilov3 () mail ru> writes:

> Hi
>
> Most banks offer iPhone apps for online banking. Is that secure?
> Should I stay with Desktop version? Are there drawbacks in security
> comparing to Desktop?
>
> Alex

It's an interesting question and probably one ripe for debate.  

It depends:  how sure are you that your desktop isn't compromised?
Have you kept up to date with third party browser plugins?  If you
visit http://www.mozilla.org/en-US/plugincheck/ today, are you staring
at anything red?      If so, there's lots to fear on the desktop with
the wide prevalence of banking credential stealing malware such as
Zeus bot, and you may actually be safer with an iPhone banking app.  

If you're "very sure" about the security of your desktop OS (which
means you painstakingly monitor every release of every web browser
plugin you run, run a web proxy or web filtering software, updated AV
and stay on top of all desktop OS updates religiously, and you don't
have an itchy clicking finger to websites asking you to run signed
java applets, and better still you have a separate machine dedicated
just to banking on which you do NO surfing, tweeting, IMing or the
like) then generally speaking, yes, I wager most would argue in favor
of sticking with a Desktop version is a good general rule, mostly
owing to the better maturity of the desktop OS's and that the banking
application runs in what's probably a rather well vetted web browser
in broad deployment. Perhaps the banking website itself as a standard
web app has had more than a few third party penetration tests from
testers that understand standard financial web applications pretty well.

On the mobile end--it's a very immature space and a space that's rife
with some pretty awful and insecure implementations of apps, and
comparatively fewer app testers who know how thoroughly test such
apps.  Another question is especially if you're an Android user,
becomes "how sure are you that your phone isn't compromised."  There,
the dearth of quality security tools (most AV for phones is so bad
that they make desktop AV look nearly useful), the prevalence of new
and interesting ways to get malware onto an Android phone, the lack of
formal review of Android software before it goes into Marketplace, and
what can get past Apple (Charlie Miller proved this point rather
well), make the simple question of "is my phone clean?" a hard one to
answer.  But one might argue that there's much less confirmed malware
targeting banking apps on the mobile platforms, and of that, the odds
of any one being able to go after _your_ bank's mobile app format to
steal money from you is likely to be slimmer than the desktop threat.

So, for now, I think the mix that more people should consider is: a)
dedicated PC (or virtual machine on a pristine host OS) for online
banking, b) surfing on another PC or virtual machine, and c) treat the
phone as a toy rather than a place to keep banking credentials.

Here are some stories from the past year that helped for these
thoughts: 

          Desktop banking worries:
          http://krebsonsecurity.com/2011/10/monster-spam-campaigns-lead-to-cyberheists/#more-11607
          http://www.esecurityplanet.com/hackers/zeus-still-wants-your-wallet-.html

          Android woes: 
          http://www.zdnet.com/blog/security/popular-free-antivirus-apps-for-android-fail-anti-malware-tests/9830
          http://www.theregister.co.uk/2011/09/14/spyeye_targets_android_phones/

          Researcher gets arbitrary code running app approved in App
          Store: 
          http://www.forbes.com/sites/andygreenberg/2011/11/07/iphone-security-bug-lets-innocent-looking-apps-go-bad/



Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com