You may have heard that A few months ago Burglars cut through wall to rob bank deposit boxes in Iran. wait, what? are we living in a movie!? I’d like to find out if there is any relationship between physical security and cyber security. Because I know more about android security, I choose the android application of Iranian banking to find out.
But thinking like many other times was useless, that’s why I started getting my hands dirty. The security of banking apps has its own stories like physical security and can be defined in several layers. For example, it should have strong walls, powerful cameras, and sensors for entry, or not allow anyone to enter sensitive sites.
In the first part, we are going to examine the top 10 basic security factors in 18 Iranian banking apps to see how strong their walls are, but we will see (Spoiler Alert) passing through these walls and bypassing security cameras and guards and chasing the police in the next episodes.
After reading this post We will:
- understand how much banks care about their security.
- learn stuff about android security.
Caution
All materials and researches have an educational purpose and have been done without violating privacy and revealing confidential information of applications. You are responsible for any misuse and violation of privacy by using the content.
Security out of 10
If any bank has a special security mechanism, it will receive a positive score.
Because the security mechanisms do not have equal weight, for example, it cannot be said that the security of Melli Bank is equal to Sina, and this is where 7 is not equal to 7!
Now let’s see if there is a relationship between the number of downloads of each app in Cafe Bazaar(the most used Iranian app store) and the level of security.
To know more precisely what security ranking means, we need to find out what each security point represents.
Big Picture
Here, it becomes clear, what it means when we say, for instance, Melli bank scored 7 in the previous stage. If we add up the numbers of Melli bank row together, we get the final score (7).
“0” means that it does not have that specific mechanism and “1” means that it does:
- 1 means YES
- 0 means NO
You may ask, why did you check these features instead of a certain feature, and why 10 of them?
After some thought, I will give the resounding answer “I don’t know”! There is no scientific support to prove that these 10 items are the basic security walls of Android apps, but based on a little experience, I am probably not wrong.
On the other hand, here, since we are talking about the bank, I considered the characteristics that are more related to theft. If it was about, for example, a shopping app, perhaps the privacy of the user would be much more important (whether the application collects the list of installed software on the device or not).
In the next step, we are going to check these security mechanisms one by one. From here on, our hands will be dirtier with computers, security, etc.
Technical Deep Dive
Let’s see what these 10 factors are and what points each of the apps got. Of course, because these factors are like those initial walls and we haven’t gone into the bank yet, it’s not like if these walls are weak, it is necessarily easy to steal from the bank.
1- Emulator Detection
- 1 means that the app understands that it was run in the emulator environment and refused to run the app.
- 0 means that the app did not understand anything and did not care where it was executed.
- 0.5 means that it understands the emulator and warned the user, but it told me that if you run the app, all the security risks are your responsibility, dear user.
2- Root Detection
- 1 means that the app understands that the device is rooted and refused to run the app.
- 0 means that the app did not understand anything and did not care where it was executed.
- 0.5 means that it understands the root device and warned the user, but it told me that if you run the app, all the security risks are your responsibility, dear user.
3- Magisk Denylist
By creating Zygisk, which is one of the extensions of Magisk, and here you can see how to install it on your rooted device, and you can choose which apps do not recognize that your phone is rooted.
None of the apps noticed this issue and got a score of zero. Of course, as I said, I have never seen how to understand this at all, if you have any information in this field, share it with me.
4- Frida Detection
Frida is one of the most powerful tools I know. It is used for dynamic analysis (as opposed to static analysis, which is the analysis and reverse engineering of program codes in a state that we haven’t even installed yet), that is, when the program is running, it changes the functions and variables to perform the desired action of the attacker. Now, because this beloved tool needs a rooted device to run, most of the apps just care about the rooted devices. But in a specific scenario, Frida can run on a non-rooted device.
5- SSL-Pin
Congrats! all apps have SSL-Pin.
6- Integrity Check
This one should be very familiar. Integrity is one of the sides of the security triangle known as CIA. In Android, the meaning is whether this app that is running is the one it should be and no one has changed it.
7- Packer
A packer encrypts all program codes and decodes&executes them at runtime. When you open the app in static and reverse engineering mode, nothing special will be caught, its purpose is to disable the static analysis. This presentation, “ Unpacking the Packed Unpacker — Black Hat 2018” gives explanations about packers.
8- Encryption
Here, I don't mean local storage encryption. I only reveal the encryption between the app and the server, and only through the bank login API call. I had nothing to do with the rest of the traffic because I don’t have an account in all of them to be able to test at all. If they have used encryption in this connection, they should be praised because they make traffic analysis one step more difficult.
9- Obfuscation
Another thing that makes the static analysis more difficult for the attacker is introduced.
10- Native Code
Normally, the codes in Android apps are java/kotlin, and due to the characteristics of these languages, it will not be difficult to reverse and convert them into a code relatively similar to the certain code written by the programmer. But sometimes they use c/c++ for more performance or more security, so the analysis and reverse engineering of these codes will not be as simple as Java codes. Now suppose that they have implemented one of the security mechanisms using native codes (for example, SSL-pin), now the attacker has to do much more work to bypass that security mechanism.
Here, in order not to go too much into the privacy of apps, I voted yes to see the lib folder, but the more exact thing is to see if there is a security mechanism written natively or not.
Therefore, false/positive may have been too much in this test.
Conclusion
It seems too early to conclude whether banks care about their security as much as they should or not, but I can say that up to this point and regardless of the other factor of security, Melli Bank and Mellat have exceeded my expectations.
Another point is that all the factors that were checked can be bypassed by a professional and it is not like that if an app comes to use them, it is 100% safe. each of them only causes the attack to be delayed or, for some newbie attackers give up on the work.
If you are interested in android security check this repository for the roadmap, docs, and write-ups :
