The camera-ready version of our paper on the analysis of Brazilian bank's apps is finally online at ACM (dl.acm.org/citation.cfm?i…)!
It's time to spread the word!

Alternatively, if you don't have access to ACM, you can get the archived version at secret.inf.ufpr.br/papers/marcus_…

We analyzed apps from @Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank

Before starting, a little bit of history! Brazilian banks were
computerized very early, which makes our scenario to present a myriad of threats. We should had learned from them.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank In the desktop-age, Brazilian banks deployed their own apps. What about attackers? They developed trojanized versions of these apps. Is the banking app shown in the picture the legitimate one or the malware one?
Ofc, a banking malware collecting user's data.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank An arms-race started! Banks started requiring user to install a protection plugin in their browsers (and it'd have implications to the upcoming mobile apps)

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank Attackers reacted! Boletos (the bill payment method identified by the barcode shown in the picture) were attacked and malware were able to attack even offline users (and handling boletos would also have implications to the upcoming mobile apps)

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank In the mobile-age, not much has changed and many attack opportunity windows are still open. The first thing to notice is how heterogeneous are bank's apps in app stores. @itau has more than 30 distinct apps.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank Not a good practice in a scenario historically targeted by trojanized apps. It's very easy for an user to get confused and install any app having the bank's logo!

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank The heterogeneity also happens in terms of implementation among distinct apps version. Each app (even from the same bank) presents a distinct number
of libraries despite presenting almost the same features.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank This might indicate that apps have been developed in separated trees, which makes bug fixes harder!

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank Almost all apps include native libs. Why? Remember the early computerization and offline boletos? Banks have to digitalize a lot of documents, so they include OCR libs (mostly opencv) in their apps. Also remember the protection plugin? The @Caixa app still have traces of it!

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank When including a library, take care to reduce the attack surface to the minimum required to your operation. Or you really need a MIPS version of your Android app? Any code you include (even if you don't use it) can have vulnerabilities and be abused.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank One may say this isn't a security flaw, OK, but there are many things that are not a security flaw per se but can be abused (e.g., privacy leaks). Would you like your credit card request being available to anyone without logging in? For @BancodoBrasil this is not a problem

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank The notifications on BB's app are stored on a sqlite3 database without encryption. Manifest file allows backing up all app's data. So here we are!

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank We disclosed this finding to @BancodoBrasil , but it seems that they do not consider this a problem, as the new app version still allows one to do the same. Notice the notification button there. Hey BB, this is not a feature!

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank Having access to app's data in a scenario dominated by trojanized apps raises a warning: Are banks protecting their apps from subversion or attackers can just clone bank apps and distribute trojanized apps? Here the result:

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank Although apps source code indicates anti-tampering mechanisms, we're able to run all apps in non-stock phones. So what? The answer is that all apps implemented the same checking routines from the same framework. BTW, they are outdated and do not detect any new rooting mechanism!

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank Apps also do not implement integrity checks, so one can easily inject code, modify the original app, and repack it in a new (potentially malicious) version. The problem is that attackers won't be so clear when defacing an app.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank Just to make clear, this is not only a @BancodoBrasil flaw, but happens to all apps. Showing @Caixa's example to make this clear!

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank Since local protection is not app's stronger point, let's hope that their network communication is well protected. Apps should block non-encrypted traffic via HTTP, for instance. In this case, they succeeded!

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank However, encrypted traffic might also be intercept if apps are not properly implementing measures as certificate pinning, as @dfaranha already demonstrated in the past.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha Some apps, as @Bradesco, failed to pin certificate and traffic was intercepted. The clear traffic transmits an encrypted version of the password. I didn't investigated it, but I warn, in advance, that implementing its own crypto/secure/password-mgmt routines isn't a
good idea.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha @Caixa did a similar project decision. Notice the cipheredKey there. Ah, remember the desktop plugin? Notice the fields providing plugin (Warsaw) information even when accessing a mobile version.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha The worst scenario, however, is found on @Nubank. No pinning and password in clear.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha Talking about other possible attack vectors. If your mobile is infected by a malware, do you think the bank app should take some measure to protect you against it or is it your entire responsibility?

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha In our view, the apps should make at least a minimum effort to protect you even if you phone is compromised. What does it means?

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha Apps shouldn't allow third apps to: take screenshots (of your account balance); record movies (of your operation); and add overlays to apps screen to collect your login credential. No apps implemented any of these countermeasures.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha Another bad project decision is to outsource banking operations to third party apps, as done by @BancodoBrasil and @Bradesco BIA. They provide Whatsapp-based chatbots that allows you to make many operations on a registered phone, including transferring money.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha Whereas banks could restrict UI events (screenshots and
overlays) in their own apps, they completely lost control when outsourcing operations to third-parties.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha What if a malicious actor implemented a service that retrieves a handler to the Whatsapp screen an type commands to do an operational on behalf of the phone user? Ya, we did it! Even worse, UI services may run on background, so the user might never noticed that it happened.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha Just to make clear, this is not a Whatsapp fault. It's just a matter that the protection mechanisms required by Whatsapp operation is completely different from the bank's ones. So, an advice: DO NOT OUTSOURCE YOUR APP's SECURITY TO A THIRD PARTY!

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha I notified all banks about my findings;
@santander_br and @bradesco never answered me requesting a report; @BB, @Itau, and @Caixa requested the report but didn't answer me back.

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha @bb @Nubank requested the report and answered me; Although they were very kind, their answer is not convincing. Whereas they claim the opposite, I envision clear ways of
making these attacks practical (e.g., an open WiFi network asking users to install the attackers certificate)

@Bradesco @itau @Caixa @BancodoBrasil @santander_br @nubank @dfaranha @bb What about the future? What about other banks? The research will continue, but i can't say much right now.