"Flashlight" wants to use Location Local Storage External Storage Address Book Phone SMS WiFi status One of your kidneys Your social security number Your Bank Account

I totally agree. Mobile apps themselves are not really a target in the old sense of netsec. The only way (other than intent and other best practice violations) is a sandbox escape which is a game over anyways. I can really only speak for iOS but the OS makes it super easy to be secure, even forcing you to be with things like App Transport Security. On iOS if you want your file to be only decrypted when the device is unlocked and the app is running you just need a simple flag. With things like ASLR and PIE by default RCE tbh is out of the question so really if we can trust the sandbox we can trust the app no matter what.

Hey buddy, great video. I have to say that I tottally agree with you, specially on certificate pinning Don't get me wrong, I think every app should implement it if they can, but it's just a point to improve not a vulnerability. And the reason is simple, every time I have to do a penetration test with an app that implements it is a pain in the a** just to make the traffic go through my proxy, usually I have to spend a lot of time doing reverse engineering and patching the app just to start doing the job. Of course a black hat building a bank malware will have to do the same thing and if I was able to it, why wouldn't they? That's why I think certificate pinning is a "nice feature" but the lack of it is certainly not a vulnerability at all

Yeah fear sells. Please keep doing your videos. Really great and informative stuff. I personally don't do reverse engineering or pen testing for a living, but I'm interested in it as a hobby.

This has become common in today's world. Any new research related to vulnerability is exaggerated to such an extent that it grabs media headlines which in turn create chaos in public related to security stuffs. Media does not understand the vulnerabilities properly and just portrays them as biggest security threat of current time. This is exactly FUD

Hey! Very nice video. I agree with everything you said, except maybe the "this is how SSL is supposed to work". There is nothing that tells you that TLS needs to use a "trust store" to validate certificates. Yes this is how HTTPS works on the internet, but this is definitely not how a banking app should secure its server's connection. See things like that: the banking app is not trying to reach websites on internet, it is just trying to communicate with a server, probably not even via the HTTP protocol (maybe an RPC connection?) What can it do to secure data? Well it can use many protocols. If it does decide to use TLS, it needs to make sure that the server is indeed the server, and the first way to do that is certificate pinning or a trust store inside of the app. Using the OS' trust store for that is dumb, just because it was not designed at all for this purpose but for browsing internet! Now is this a huge vulnerability issue? Of course not, you still need to manually install a cert on your mobile phone. Is this is an issue? Of course yes, the app should not use an external trust store to validate its own server, especially if these are banking servers.

Oh i remember that talk from 33c3. That was entertaining, but your point is valid.

Hi, I see you have drawn some conclusions from the poll you sent out for us to fill :) Good for you, I really enjoyed this this video!

I agree with your criticism of the "research". I think interesting findings alone do not make a good research - sound arguments do. And this is what's lacking in this "research" of the mobile banking apps.

thanks for sharing, I agree with your point of view on this @LiveOverflow always interesting to watch your videos (or mostly listen to them actually) but anyways, it's both educating and enjoyable to hear your thoughts on hacking IT security and tech related topics in general so please keep uploading and stay awesome! the researchers claims are IMHO a bit confusing and over dramatic may be misleading and seemingly based on very theoretical analysis with no actual real proof of concept but of course anything is possible on the Internets...

A small issue: at 13:11 the circled text is misleading due to missing word "account" that was on the next line in the article. When zooming and underlining a phrase, you should make sure it's what you mean. I mostly agree with your commentary. The biggest takeaway is that researchers exaggerate and news article writers misunderstand them furthering the reality distortion. DNS redirection and similar attacks are not trivial to pull off and are not caused by vulnerability in the app. Similarly for "vulnerabilities in CA validation process". This, or the possibility of malware being installed, in general means game over already. There's also the issue of phishing, but it's vulnerability of the user, not the app. On the other hand, while lack of countermeasures (even best effort ones) against these can not be classified as vulnerability, banking and other high-stakes applications would be responsible to implement them. Yes, it's the defense in depth, and yes, it's not a magic bullet, but if it improves the situation, they should do it. I don't agree with your counterarguments regarding phishing. The paper mentioned it as means of tricking person to install non-official certificate. Cryptography is understood very poorly by vast majority of population, so it wouldn't be a far stretch to imagine a person, which being shown some dummy error saying you need to install certificate to view content, does so. Heck, even some of my university's websites have broken SSL forcing me to add exceptions to the browser to even use it - and it's half way towards the described scenario. This is in contrast to your examples: "user can be tricked to install malware", which is in my opinion much less likely even for average person. Similarly phishing N26 dev to steal private keys is much harder, as they probably know what they're doing.

The banking app shouldn't use the CA store of the device, rather it should only trust the CA certificate of the bank.

Finally someone understood!

I saw this talk recently and I was thoroughly rustl'd glad im not alone. He sounds like every LeetHax0r I have the displeasure of studying with. Constant inaccuracies and wild exaggerations. Oh und die schirchen Deutschen Accente. ;)

This dude from the n26 talk is ridiculous. What if the attacker Rev engineers the app, removes certificate pinning and rebuilds the app, still a vulnerability bc he didn't also use obfuscation to prevent that? Is every app without obfuscation a security vulnerability now? He obviously does not get what vulnerability means

Am I the only one around here who HATES certificate pinning? Of course it makes it harder for the attacker to do a MITM, but it also makes it impossible for me as a user to see what data is exchanged between the app and my bank. And imho the user should always be able to check wich data is transferred. I simply don't trust the closed source and obfuscated banking app at all. A simple popup in the app like: "The certificate has changed! Your connection is not secure! Please type"OK" to continue.". Would be a much better solution.

I tend to agree with most what you say, but not everything (I'm referring to mobile security in general, not the N26 stuff). One major difference between websites and apps is the degree of sandboxing. In a browser the code is at least in principle generally sandboxed from resources (especially from storage devices). On a smart phone the user is tasked with setting the degree of the sandboxing and which APIs the app is shielded from or not. This introduces a human element into the security, and obviously that's the weakest link in the chain that can and is being exploited, as people are primarily concerned with "stuff should run" not "stuff should be secure". People trust the application, as being generally trusting has been an evolutionary beneficial key-trait of humans as social animals (at least within the social group). This is of course not an app problem, but an overall issue. Combine this with a non-functioning update/system (which is the price one has got to pay for an open system) and the number of rooted phones and voila, you have a pretty insecure environment. Especially in a time, where people don't just want to break stuff for fun anymore, but primarily want access to data (the more confidential the better) without raising suspicion for nefarious purposes. So yes, I do think that the mobile environment rightly deserves its image as being "insecure", so this claim is certainly no FUD (although sensationalist articles certainly are). This also doesn't mean I'd declare classical, non-mobile environments"secure". Obviously they are not. One final note: yes, not using certificate pinning for transaction based applications IS an issue. as it adds security by providing an additional obstacle for an attacker. Yes, of course this can be overcome, but every additional layer helps (defense in depth yadda yadda) and this adds up. Thus using it is good practice, not doing so is not.

Totally agree with you.

Excellent and 💯 correct

I agree with this discussion, and the unnecessary FUD. However, one thing still troubles me: what is the possibility of a bad app screen-capturing sensitive data?

Disclaimer: I’m that guy who gave the talk at 33c3. The N26 talk presented a thorough evaluation of the N26 security system and we think that it was valid to describe it as pretty insecure, particularly when compared to established (German) banks. You might rate it as an exaggeration to call those vulnerabilities severe but I don’t think we have been deceptive here. Furthermore, it is important to us that we also regard the missing certificate pinning the least significant security issue. The talks organization also reflects this as the part about certificate pinning is in the beginning of the talk and only lasts for 2.5 minutes. The rest of the presentation was about a bunch of other security issues that were-again, in our opinion-far worse and deserved to be described as ‘severe’. Most importantly, we never claimed that the missing certificate pinning could be abused to completely takeover an account. This, however, is what this video constantly suggests.

May 2020 here. I still agree!

This research should be first inform the bank and try to work together. As you said mobile apps are easier secured than a pc. I don't have much experiance, but i think there are some big security risks still in open wlans or rouge hotspots. From there you should be able to influence dns on most devices. Still, we come a long way from 2008 without https or previous where banking was mostly trust. You have some great videos!

iOS is pretty vulnerable too, there was even an in-browser _javascript_ jailbreak for ios 9, and almost all version iOS 1-11.1.2 are jailbreakable

So the gist of it is that many of the security issues represented as dangers to apps are actually web vulnerabilities, and that those that aren't typically assume a level of compromise where the app's security isn't the biggest worry (e.g. full MITM, root privileges, or similar invasion)? If that's where we are in terms of app security, I'm more than satisfied.

Thank you for great video

2020 still agree with your video

Good summary, still you oppinion? :). Btw I do agree with your analysis, however the pinning defense in depth is such a easy and common best practice that it can be called a vuln if not used (given the state of PKI)

I know this is an old video, so it's understandable, but it *is* sort of funny that a big chunk of the video is "*thing that has happened in the wild since*? How realistic is that?!"

Hi, apps who uses certificate pinning are independent from local CA verification, So an app with certificate pinning only verify with the certificate built in the app. So I think this is a big issue for a banking app .

So I am not sure if I get a awnser but I still ask: what about security of instant Apps or pwa Apps? Are the less or as secure as normal Apps? As instant Apps are more easy to get users to install. Pwa obviously depends highly on Bugs in Chrome Android as that's where thoose run.

What resources do you recommend for learning best practices when it comes to doing app audits?

Was the N26 app exploited or was a POC provided that could exploit? If not, then this was all conjecture and not really worth attention.

Ishu

I am far in the futur !

The main point of the paper is that mobile apps are worse than proper second factors. Mobile banking apps are a step back.

You mentioned sandboxes. What about things like cryptolok/MorphAES. Really been interested in this stuff since my class is moving kind of slow. Thanks love your vids!

Make a video on exploiting broadcast receivers of an app...

Put the intro at 2x and you'll like it more :3

Funny, I got an N26 add before the video ...

I had the same reaction @15:00 WHY TF they are clapping?

It would be interesting to see how to save and decrypt the Snapchat photos.

Where to start in mobile app sec?

Please do not use SSL anymore it is deprecated since 2015, TLS is the only acceptable wording.

i really dislike the sandboxing approach to android because i like being able to access everything but google has a solution to this which is rooting. . but then it trys to detect root so you have to disable the root detections

Just be a little more dramatic and a thunderf00t style video will appear.... lol

gonna be really honest here, I am majoring in theoretical physics, I am considered pretty smart by my friends in terms of understanding technology.. I know how to program and I've just rooted my phone for the first time. I found it very difficult (but a very cool experience, learned a ton of stuff :D) If I am dumb enough to allow some malicious process to run on my phone as superuser, I deserve every consequence of that

> I didn't need to touch the device is that not something he said? pretty sure he said that he didn't have to install his own certificate on the device

Is there a chance of seeing you do some c# tutorials, i really enjoy c# Console Application and Windows Form Application, there are so great and fun to write, please please any c# tutorials

in 18:48, you mentioned HTTP u can MITM, but HTTPS (using SSL) u can't? yes, u cannot if u are using a legitimate DNS server, but i thought you mentioned the DNS was hijacked? so assuming the DNS is hijacked, then MITM using self-signed SSL can be used on the SSL. During SSL communication you can also traced that /etc/hosts is read - so if you hardcoded the IP address of the domain name there, you can always redirect the SSL communication into your own self-signed cert.

@4:28 why do you need to write native code for obfuscation and to protect against reverse engineering?

[Actually saw this on Reddit] Allow "Calendar" to access your Calendar?

I'm pretty sure he said he didn't have to install a CA on the client.

What's the purpose of this?! 🤣🤣🤣

try something like /r/changemyview

Future here, do you still hold to that believe @liveoverflow