Jailbreak Simplicity Threatens Mobile Banking
[Editor’s Note: The following is a guest blog by John Britton an engineer at Good Technology and formerly at mFoundry. The following is John’s personal commentary and does not represent the opinion of any organization or individual]
Last week the U.S. Federal government blessed mobile phone jailbreaking as legal — that is, unlocking a phone without carrier and/or manufacturer approval. Everyone that has ever jailbroke their iPhone said “Thank you.”
Earlier this week the Unofficial iPhone Dev Team, the de facto iPhone jailbreak providers, released a new method for jailbreaking iPhones. The simplicity of their last jailbreak set off proverbial alarms across the mobile security and risk management community.
Previous jailbreak methods were cumbersome and idiosyncratic. Previously, users wanting to jailbreak their phone would have to download a file, jump through some hoops and 30-40 minutes later their Phone would be free. Unfortunately, after the jailbreak, all of their applications were gone and they would have to reinstall everything from scratch. Each upgrade required repeating the entire painful process.
The old process worked by bypassing Apple’s signing process. It was not something my mom would have ever attempted to try on her own.
The new jailbreak method exploits a vulnerability in Safari and is super simple. You can now jailbreak your phone by simply connecting to a website and swiping your finger. (If you want to see it, the site is: http://www.jailbreakme.com)
The whole process takes about 3 minutes and leaves all of your applications in place. It is a no fuss no muss approach and something my mom could do to be one of the cool kids.
To the credit of the jailbreak team they also included a patch to warn jailbreakers that encounter this exploit in the future.
Apple has currently released a rather vague statement about the approach:
“We’re aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update.”
The exploit is huge. It is only a matter of time before someone with sinister motives decides to exploit the issue for their own gain. These bad guys could simply trick iPhone users onto navigating to their site or attaching a file to an email that once opened, quietly jailbreaks their phone.
Once the process is complete the phone would look and feel just like nothing happened at all. Except now, maybe the iPhone secretly has key logger software installed that steals usernames and passwords from mobile banking. Or maybe the hacker can hijack a browser session to go where they want it to go and not where users expect to go. Usernames, passwords, financial information including balances and name of banks can all be siphoned off to someone who wants to take money. The bad guy could even look at your anti-phishing site keys.
I hate to state the obvious but this is really, really bad.
Banks and software vendors can do little in their applications to prevent these types of attacks, but they are left to foot the bill for the attack. The bad guy would look and act just like the authentic user.
This problem isn’t just with native iPhone applications. It also affects browser-based banking on the iPhone. The really advanced bad guy will also find ways to manipulate some of the more advanced SMS based banking.
I have now stopped mobile banking from my iPhone.
Bankers and consumers need to let Apple know that mobile banking and mobile payments need secure platforms. Apple wants to take advantage of mobile payments on their devices. They want to provide the next generation tools for all of us. Apple needs to provide strong protection for the sensitive data passing through iPhones around the world.
Without Apple-provided protection, the only recourse would be to remove their iPhone apps from the App Store and demand that Apple use the kill switch to remotely remove mobile bank apps from end user iPhones. Banks would also need to block all iPhone based browser traffic.
Of course, this is impossible. Mobile banking has already gone mainstream. Mobile commerce has as well. Furthermore iPhones are used by key executives with sensitive information throughout the world’s businesses.
The only true fix to this problem must come from Apple. They need to patch the exploit quickly. Apple needs to work with the banks and the security industry to vigilantly protect and continue to grow the opportunities that are in front of us all.
David Eads mentioned previously on this blog that code reviews for mobile applications should be standard fare. Financial institutions must be vigilant in teaching their customers and members about staying current with software updates. A couple of steps that you can take to protect yourself and you customers is to encouraged your customers to upgrade to the latest iPhone OS when Apple releases it. You can also modify your terms of service to require that fraud protection is only valid if their mobile banking devices have the latest versions of the vendors operating systems and are using it in accordance with the hardware and carrier provisions.
Send David questions about this and I will be back next week to answer your questions on mobile security.
Written from my newly jailbroken iPhone 3GS with mobile banking applications uninstalled.