Newly created tool spots TLS vulnerability in major banking and VPN apps
Newly created tool spots TLS vulnerability in major banking and VPN apps

Eight banking apps and one virtual private app were found to contain a hidden vulnerability in their TLS protections, which could have been exploited to perform man-in-the-middle (MITM) attacks, according to academic researchers who created a new black-box tool capable of detecting the flaw.

A new report released by the University of Birmingham explains that the vulnerability in this instance was a lack of proper hostname verification -- a problem that is normally easy to detect, except when applications rely on a process called certificate pinning, which often conceals the flaw. (Certificate pinning is when developers choose to only accept certificates signed by a single pinned CA root certificate.)

Researchers Chris Stone, Tom Chothia, and Flavio Garcia observed this very scenario in a series of apps that collectively have been installed millions of times, including those issued by Bank of America and HSBC, as well as the popular TunnelBear VPN. Altogether, the nine affected apps were: Bank of America Health, TunnelBear VPN, Meezan Bank, and Smile Bank for Android, and HSBC, HSBC Business, HSBC Identity, HSBCnet, and HSBC Private for iOS. All of the companies involved repaired the flaw prior to the publishing of the paper.

The researchers uncovered the vulnerability after analyzing 400 security-sensitive Android and iPhone apps using a new semi-automated tool they developed called Spinner, which is designed to identify, on a large scale, instances of improper hostname verification in apps that perform certificate pinning.

Prior to this tool, testing for this scenario “would typically require the tester to own a high security certificate from the same issuer (and often same intermediate CA) as the one used by the app,” the report explains. But Spinner does not require purchasing any certificates. “By redirecting traffic to websites which use the relevant certificates and then analyzing the (encrypted) network traffic, we are able to determine whether the hostname check is correctly done, even in the presence of certificate pinning,” the report explains.

Fifteen other applications that do not practice certificate pinning were also flagged by Spinner, either for failing to perform a hostname check or for issuing a self-signed certificate. These apps, also now patched were: Emirates NBD, Kotak Bank, Al Rajhi Bank, Santander UK (biocatch), and CommBank Property for iOS, and American Bank of Sydney Ulster Bank NI, Ulster Bank RI, BofAML Research Library First Financial Bank, ACU Mobile, Bitcoin.co.id, Britline, Opal Transfer, and Aman Bank for Android.

In response to the study, Bank of America claims that some of the information in the report was dated. “The vulnerability identified was resolved in Bank of America's Health app nearly two years ago in January 2016. The app is no longer available as of June 2017. At no time was customer information impacted,” said a company spokesperson via email.

In their paper, the researchers explain that their process constitutes “a black-box method to detect apps... that, when using TLS, pin to a root or intermediate certificate but do not check the hostname of the host they connect to. Instead of trying to get certificates from all possible certificate authorities, which we argue is infeasible, we build a tool that makes use of the Censys Internet scanning search engine.”

“Given the certificate for a target domain, the tool queries for certificate chains for alternate hosts that only differ in the leaf certificate,” the report continues. “The tool then redirects the traffic from the app under test to a website which has a certificate signed by the same CA certificate, but of course a different hostname (Common Name). If the connection fails during the establishment phase, then we know the app detected the wrong hostname. Whereas, if the connection is established and encrypted application data is transferred by the client before the connection fails, then we know the app has accepted the hostname and is vulnerable.”