Advisory: 44 Credit Union apps for iOS may allow login credential exposure

During the development of our web-based mobile app analysis service verify.ly, it was essential to have a clear understanding of the most common security issues which plague mobile applications today. Automatically scanning the binary code of applications within the Apple App Store en-masse has allowed us to gain a vast amount of information about these security issues.

Example: Username and password for the “Wawa Employees’ Credit Union” application for iOS can be wirelessly and silently intercepted by a nearby user

The Problem

An issue exists in the code used to validate TLS certificates in the affected applications, potentially derived from third-party code within the applications. A far more in-depth analysis of the cause will be published at a later date.

The vulnerability may allow for a user of any of the affected applications to have their banking username and password silently intercepted by any individual within range (likely 50–100 feet) while logging into the affected application, as shown in the above screenshot. Due to the nature of the vulnerability, curious readers may test for themselves using bettercap — No modifications or prerequisites needed, simply remember to enable HTTPS sniffing and use the “POST” request parser in order to capture the credentials (Only test using your own mobile device!).

If you are a user of any iOS applications listed below, it is strongly advised that you limit usage and refrain from use in public areas until your credit union releases an update to address the security vulnerability.

Affected Applications

1. “Wawa Employees Credit Union Mobile” by Wawa Employees Credit Union, version 4.0.1 (CVE-2017–9558)
2. “Vision Bank” by MEA Financial Enterprises, LLC, version 3.0.1 (CVE-2017–9559)
3. “Cayuga Lake National Bank” by Cayuga Lake National Bank, version 4.0.1 (CVE-2017–9560)
4. “LBTC Mobile” by Lee Bank & Trust Co, version 3.0.1 (CVE-2017–9561)
5. “Freedom 1st Credit Union Mobile Banking” by Freedom First Credit Union Inc., version 3.0.0 (CVE-2017–9562)
6. “FCCB” by First Citizens Community Bank, version 3.0.1 (CVE-2017–9563)
7. “Community Bank’s CB2GO” by Community Bancshares, Inc., version 3.1.3 (CVE-2017–9564)
8. “First Security Bank Sleepy Eye Mobile” by First Security Bank — Sleepy Eye, version 3.0.0 (CVE-2017–9565)
9. “FSB DeQueen Mobile Banking” by First State Bank of DeQueen, version 3.0.1 (CVE-2017–9566)
10. “AVB Bank — Mobile Banking” by AVB, version 3.0.0 (CVE-2017–9567)
11. “Financial Plus Mobile Banking” by Financial Plus FCU, version 3.0.3 (CVE-2017–9568)
12. “CBTX On the Go” by Citizens Bank TX, version 3.0.0 (CVE-2017–9569)
13. “Mount Vernon Bank & Trust Mobile Banking” by Mount Vernon Bank and Trust Company, version 3.0.0 (CVE-2017–9570)
14. “CCB Mobile Banking” by Citizens Community Bank (TN), version 3.0.1 (CVE-2017–9571)
15. “Athens State Bank Mobile Banking” by Athens State Bank, version 3.0.0 (CVE-2017–9572)
16. “NASB Mobile Banking” by North Adams State Bank of Ursa Inc, version 3.0.1 (CVE-2017–9573)
17. “KC Area Credit Union Mobile Banking” by K C Area Credit Union, version 3.0.1 (CVE-2017–9574)
18. “FVB Mobile Banking” by First Volunteer Bank of Tennessee, version 3.1.1 (CVE-2017–9575)
19. “Middleton Community Bank Mobile Banking” by Middleton Community Bank, version 3.0.0 (CVE-2017–9576)
20. “First Citizens Bank-Mobile Banking” by First Citizens Bank (AL), version 3.0.0 (CVE-2017–9577)
21. “RVCB Mobile” by RVCB Mobile Banking, version 3.0.0 (CVE-2017–9578)
22. “JMCU Mobile Banking” by Joplin Metro Credit Union, version 3.0.0 (CVE-2017–9579)
23. “Pioneer Bank & Trust Mobile Banking” by PIONEER BANK AND TRUST, version 3.0.0 (CVE-2017–9580)
24. “Algonquin State Bank Mobile Banking” by Algonquin State Bank, version 3.0.0 (CVE-2017–9581)
25. “BNB Mobile Banking” by Brady National Bank, version 3.0.0 (CVE-2017–9582) [NOTE: A new version of this application, 4.2.0, has been recently released and may fix the vulnerability. This has not yet been verified.]
26. “Charlevoix State Bank” by Charlevoix State Bank, version 3.0.1 (CVE-2017–9583)
27. “HBO Mobile Banking” by Heritage Bank of Ozarks, version 3.0.0 (CVE-2017–9584)
28. “Community State Bank — Lamar Mobile Banking” by Community State Bank — Lamar, version 3.0.3 (CVE-2017–9585)
29. “FSBY Mobile Banking” by First State Bank of Yoakum TX, version 3.0.0 (CVE-2017–9586)
30. “PCSB BANK Mobile” by PCSB Bank, version 3.0.4 (CVE-2017–9587)
31. “Oritani Mobile Banking” by Oritani Bank, version 3.0.0 (CVE-2017–9588)
32. “SCSB Shelbyville IL Mobile Banking” by Shelby County State Bank, version 3.0.0 (CVE-2017–9589)
33. “State Bank of Waterloo Mobile Banking” by State Bank of Waterloo, version 3.0.2 (CVE-2017–9590)
34. “PCB Mobile” by Phelps County Bank, version 3.0.2 (CVE-2017–9591)
35. “Your Legacy Federal Credit Union Mobile Banking” by Your Legacy Federal Credit Union, version 3.0.1 (CVE-2017–9592)
36. “Oculina Mobile Banking” by Oculina Bank, version 3.0.0 (CVE-2017–9593)
37. “SVB Mobile” by Sauk Valley Bank Mobile Banking, version 3.0.0 (CVE-2017–9594)
38. “First State Bank of Bigfork Mobile Ba…” by First State Bank of Bigfork, version 4.0.3 (CVE-2017–9595)
39. “CFB Mobile Banking” by Citizens First Bank Wisconsin, version 3.0.1 (CVE-2017–9596)
40. “Blue Ridge Bank and Trust Co. Mobile Banking” by Blue Ridge Bank and Trust Co., version 3.0.1 (CVE-2017–9597)
41. “Morton Credit Union Mobile Banking” by Morton Credit Union, version 3.0.1 (CVE-2017–9598)
42. “Fountain Trust Mobile Banking” by FOUNTAIN TRUST COMPANY, version 3.0.0 (CVE-2017–9599)
43. “Peoples Bank Tulsa” by Peoples Bank — OK, version 3.0.2 (CVE-2017–9600)
44. “FNB Kemp Mobile Banking” by First National Bank of Kemp, version 3.0.2 (CVE-2017–9601)