[Owasp-ireland] Banks scramble to fix mobile app security flaws

OWASP Ireland ireland at owasp.org
Mon Nov 8 18:00:59 EST 2010


Laurent,

Nowadays the rush to develop applications for mobile platforms like iPhone
and Android is causing many, otherwise security-conscious firms to give
little importance to testing and quality assurance.

Also, you could define during design and development to store sensitive
information in an encrypted format instead of clear text. So if someone gets
their hands at your phone, at least that information will be protected.

Fabio

On Mon, Nov 8, 2010 at 8:14 PM, Laurent Benameur Sauvaire <
laurentbenameur at gmail.com> wrote:

>
> Come on, what's in the article really ?
>
> Correct me if I'm wrong but if phones are giving away the content of their
> memory when a malicious website is visited, then I'd first question the
> security of the phone instead of bragging about discovering big names' flaws
> (not that I like them).
>
> Storing clear text passwords is definitely odd, but one would investigate
> the exploitability of those things to assess a potential risk, isn't it ?
>
> Rgds,
> Laurent.
>
>
> On 8 Nov 2010, at 11:57, fabio.e.cerullo at aib.ie wrote:
>
>
> A number of top financial companies and banks such as Wells Fargo & Co.,
> Bank of America Corp. and USAA are rushing out updates to fix security flaws
> in wireless banking applications that could allow a computer criminal to
> obtain sensitive data like usernames, passwords and financial information.
>
> The central problem is that the apps, which run on Apple Inc.'s iPhone and
> Android-based devices from Google Inc., are storing a user's information in
> the memory of a cellphone, a basic lapse that the security researcher who
> found the flaws said could allow a cybercriminal to access a person's
> financial accounts.
>
> Read more:
> http://online.wsj.com/article/SB10001424052748703805704575594581203248658.html?mod=googlenews_wsj
>
> Thanks,
>
> Fabio
>
> ******************************************************
> This document is strictly confidential and is intended for use by the addressee unless otherwise indicated.
>
> This email has been scanned by an external email security system.
>
> Allied Irish Banks
>
> AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Financial Regulator.  Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173
>
> Please consider the environment before printing this e-mail.
> ******************************************************
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
>
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20101108/6cfbb005/attachment.html 


More information about the Owasp-ireland mailing list