live casino online

Security researchers at the University of Birmingham that several banking and Virtual Private Network (VPN) apps were susceptible to man-in-the-middle (MitM) attacks through a vulnerability in the way they handle encrypted communications.

These apps have a user base in the millions. Fortunately, the vendors have rolled out patches addressing the flaw¡ªsince for some. Users are advised to update their apps.

The security flaw was seen in Android and iOS banking apps, including those from Bank of America, Meezan Bank, Smile Bank, and HSBC, and VPN app TunnelBear. The security flaw lies in the verification processes of certificates used by the applications. Successfully exploiting the flaw allows attackers to spy on and modify their traffic, as well as steal credentials.

[READ: How can Your Own Data be Turned against You?]

The findings were part of their research, ¡°¡±, which demonstrated Spinner, an automated black-box testing mechanism that checks and detects improper certification and verification processes in applications. Researchers Chris McMahon Stone, Tom Chothia, and Flavio D. Garcia noted that while this is typically easy to identify, it becomes difficult when the application uses certificate pinning, which conceals the flaw.

Certificate pinning is a security mechanism where an application¡¯s developer specifies certain trusted certificates (used to verify the identity of computer/s on a network), as a countermeasure against MitM attacks that spoof certificates. However, their report found that the affected apps had flaws in how certificate pinning is implemented and how they verify certificates when establishing a connection.

[RELATED: A Shift in the ATM Malware Landscape: From Physical to Network-based Attacks]

Spinner was used to analyze 400 Android and iOS apps and found that nine were susceptible to MitM attacks. The researchers also noted, ¡°By redirecting traffic to websites which use the relevant certificates and then analysing the (encrypted) network traffic we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning.

¡°Like web browsers, mobile platforms such as Android and iOS rely on a trust store containing a large number of CA root certificates. If a single CA acted maliciously or were compromised, which has happened before [...], valid certificates for any domain could be generated allowing an attacker to Man-in-the-Middle all apps trusting that CA certificate.¡±

[Best Practices: Mobile App Security for Developers]

Cybercriminals see the mobile user base as a goldmine, as evidenced by the increasing prevalence of mobile threats. Users can mitigate them with good security habits, such as updating the operating system and apps, as well as strengthening their credentials. For businesses¡ªespecially those that run Bring Your Own Device (BYOD) programs¡ªshould balance the need for flexibility and importance of security. , as well as original equipment and design manufacturers, are in a good position to underscore security by design and go beyond functionality.