Software Talks is a recurring event organized by PGS Software, consisting of tech talks, beer, pizza and a lot of fun. Some time ago I wrote about the two September editions in Wrocław and Gdańsk, in which I took part as a speaker. On December 8th there was another event, this time in Rzeszów, a city located in south-eastern Poland. I was a speaker for the third time in a row, but for the first time with my colleague Tomasz Zieliński, who recently made a lot of noise in Polish banking environment, preparing a report, which exposed several critical security issues and other major problems in their mobile banking applications. If you read my article about working for different types of companies, you might have noticed that I’m not a big fan of banks’ approach to software development, so I’m going to elaborate on Tomasz findings without mercy.
Last time on Software Talks I spoke with Piotr Konieczny, Polish security expert. This time there was an idea to focus more on Java / software development topics, so I was on a mission to find a second Java speaker. I found one, but at the last moment some issues appeared and he couldn’t make it, so his place was taken by Tomasz, who is actually our Android expert.
It was kind of a busy week for me, as I was three days in Berlin with our client, arrived in Wrocław on Wednesday evening, and an hour later I was in a car with Tomasz and Monika, head of our HR, on the way to Rzeszów. We were there four hours later and decided to grab one beer for a good night’s sleep. Damn, it was cold out there! Next day we arrived at our Rzeszów office, and in the afternoon headed to Software Talks venue to help get things ready.
It was held in a lovely pub Estrada Caffe located actually under the city square and being also an entrance to underground sightseeing route. Roughly 150 people began to gather around 5pm. After a short battle with microphone feedback and projector, I repeated my September talk about principles in object oriented programming and software development in general, based on five articles from this blog.
As usual, there was beer and pizza, lots of networking in the break and after this, Tomasz started his talk about security problems he found in Polish banks’ mobile applications. There were plenty, so grab a popcorn and read on.
State of security of mobile banking applications in Poland
The talk was based on his report published in November on PGS tech blog. Tomasz found plethora of problems, including:
BZ WBK has a personal data leak. The credit card request form is actually an embedded website, it writes the URL and access token to logs, which can be used to hijack session through race conditions. The session is valid for at least half an hour and the bank website doesn’t care if it is continued from a different network / device than the original one.
ING app writes a SSO token to logs. Implicit Intents mechanism is not secured, so you can easily produce an app like “Chrome for ING” and present it to the user as suggested program to open ING domain request. Then you hijack the session and do whatever you want.
PEKAO app dumps entire network communication to logs, including masked passwords in plain text. It also does not block communication that uses forged certificate.
Idea bank app gets all personal data from their back-end, including internal stuff like “credit risk level” (good to know, thank you) and does not block forged certificates. If someone eavesdrop this, he can easily obtain all data required to reset your password, and many more. The app also contains text file with test account logins and password that actually work in production environment.
Those were the most spectacular vulnerabilities, but there were many more. Most banks do not protect static resources with https, so you can eavesdrop packets in your network and swap images or other things.
Some banks don’t care much about their URL in Play shop, which may confuse users and makes introducing fake malicious applications much easier. For example you can learn that BGŻ BNP Paribas software is accessible by the name starting with com.comarch. Rings a bell?
Most apps do not block possibility of taking screenshots while pressing keys during login. If you have a phone from a series with SystemAgent diagnostic packet left by mistake, any malicious application can use it to take unauthorized screenshots and get your bank account password.
Many banks leave debug code that can be used to access features you are not supposed to use as a customer. Other leftovers include tests data, for example we can learn that Smart bank (renamed to Nest bank) test accounts names include James Bond and Putin. Credit Agricole app stores Jenkins logs, if you are curious about their infrastructure. We can inspect how does Chinese cash transfer document look like in Citi bank app, which must be extremely useful for Polish customers.
Yet another issue is sending data to third party without proper authorization. For example, ING app obediently informs Facebook whenever a user starts a banking session. mBank, Idea and Smart sends personal data to Crashlytics, which is hosted by Twitter on American soil without explicit notice of this fact. Even the legal status of this is shady, as the report suggest.
And that’s still not all of it.
Finally, after all this revelations, there was and afterparty in Kuźnia pub to calm down and enjoy more local beer.
Are we doomed?
Not really. But the key takeaway is that if you are planning to save on your software quality and professionalism, you should be prepared to pay back with interests in other areas, for example in damages to your reputation. This is especially true, if you are an organization of public trust that keeps money of millions of people. Everyone makes mistakes, but seriously, this level of sloppiness is embarrassing. Banks were informed a month prior to the report publication, and some of them didn’t even respond within THREE weeks, yet alone fix the issues before they were exposed. Kudos to Tomasz and all people involved in this endeavor for courage and doing a great job, and to PGS Software for having guts to stand behind them, despite being a software house that might want to do business with institutions mentioned in the report. Ladies and gentlemen: Respect.
I think everyone who lives in Poland and uses mobile banking should see this report, so please share, repost, retweet and spread it as far as you can. It’s in everyone best interest that people know what is going on, and that banks get a clear message that such situation is unacceptable. Perhaps more resources should be devoted to decent software development, quality assurance and security audits and less to executive cash bonuses?
Photos from Rzeszów Software Talks are available here. Next instance will probably take place somewhere around March 2017, I would be delighted to see you there in person. Stay tuned!