On the MitM vulnerability in mobile banking applications for android devices

One of the primary concerns that the developers of mobile banking applications should strive to is to ensure the security of user information originating from any of these applications. However, implementing even basic security features, like performing encryption on user data or using HTTPS while connection establishment, on such mobile applications, is often found to be absent either due to the lack of knowledge of user security concerns, or unavailability of security testing experts who can point out the security flaws in the applications. In this paper, we consider man-in-the-middle (MitM) attack, a simple yet powerful attack, as a primary attack to test basic security features that a mobile banking application should impose. We have considered a total of 19 mobile banking applications on Android that are currently got deployed by public sector banks in India and are used by their respective customers. Surprisingly, the In about 90% of these banking applications, we have observed that the attack can be launched with ease even if the applications are using security protocols like HTTPS to establish a communication channel with their respective servers. Moreover, some mobile applications are using simple HTTP protocol to transfer user information without bothering anything about security. Hence, our analysis suggests that a level of revision is required to address the basic security flaws in the mobile banking applications to prevent even simple MitM attack.