A recent client side only test of mobile banking applications that run on the iOS platform uncovered some some of the following vulnerabilities:
- 12.5% of the audited apps did not validate the authenticity of the SSL certificates presented, which makes them susceptible to Man-in-The-Middle (MiTM) attacks.
- 35% of the apps contained non-SSL links throughout the application. This allows an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompts or similar scams.
- 30% of the apps did not validate incoming data and were vulnerable to JavaScript injections via insecure UIWebView implementations allowing client-side attacks.
- 42.5% of the apps provided alternative authentication solutions to mitigate the risk of leaking user credentials and impersonal attacks.
- Additionally the study also showed that 40% of the apps still leak information about user activity or client-server interactions, such as requests or responses from the server.