Dissecting iMobile – Security Analysis of ICICI Mobile Banking App

September 27th, 2008

ICICI Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, study it in detail and write this post. According to the website, until the Reserve Bank of India comes out with mobile banking guidelines and approves it, mobile banking is supposed to be halted. Technically, it means that, all existing users shouldn’t be able to use the service what-so-ever and new user signups should be prevented & a notification stating that they should retry later should be shown.

Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:

  1. Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
  2. The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.

Which brings me to explain Step 2 in detail:

On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first <script> tag. It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.

What filename do you have to give and How?

That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar ๐Ÿ™‚ Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.

Where ICICI Bank failed?

  1. They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 – Resource Not Found” error. Got it? Implementing this is pretty simple.
  2. There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 – Resource Not Found” error page.
  3. Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
  4. There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?

That was a long post already ๐Ÿ™‚ We still have some more to go. Lets take a break.

Tea Break Image Credits

Back? Ok ๐Ÿ˜€ Now, lets dissect the actual JAR file and look into the technical details of its implementation.

The Manifest File:

Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.

Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.

Some more Holes:

Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.

What should the bank do here?

  1. Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
  2. I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
  3. There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
  4. Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.

Suggestion for Users:

Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.

Thats about it !

Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.

If you liked this article, kindly do me a favour by digging it. Thanks for your time.

Posted by Aswin Anand Filed in mobile, mobility, techblog, Technology
19 Comments »

Conversation

September 25th, 2008

Few days ago, I was chatting with a guy in my office. It goes without saying that the guy is far more experienced than me.ร‚ย Myself and my team mate were showing a prototype UI & this conversation happened.ร‚ย Here’s how it went:

Me: Please check this functionality & let us know if you have questions.

Guy: Keeps his left hand on his chin, turns his head slightly, squints at the monitor, pointing his right hand at the webpage & without checking an ounce of functionality, says … The UI doesn’t look good. Make changes to it.

Me: Okay… We are working on it.

Guy: Suddenly stares at me with a blank expressionร‚ย & says … Hey don’t use “div” tag.

Me: (I’m obviously confused) … Why not?

Guy: Stares again and says … Major browsers don’t support it well !!

That hit me – like a brick – on the head and I was dazed for a second. Team mate and myself burst out laughing and walked out of the room ๐Ÿ˜€

Oh! did I mention that it was supposed to be a “technical” discussion?

Posted by Aswin Anand Filed in Casually Speaking ..., humour
6 Comments »

Kalari – Oh! yes

September 21st, 2008

Its been about 2 and a half months since I started going to the Kalari classesร‚ย and I’m still going. Stamina has improved by a good extent and I’m able to note the difference between now and then. I have also started losing fear of sharp weapons such as daggers and vett aruvals. Overall, its been a very nice time every alternate morning for two hours at YMCA Nandanam.

So, what’s been the main driving factor to get me to join Kalari apart from other fitness activities such as gym, yoga etc.?

  1. Yoga and gym are a few days activities at the teacher’s place, which means I have to practice it on my own afterwards. That requires tremendous mental toughness & moreover, altering your schedule to fit in yoga or gym in place of sleep is a tough. Hence, I needed something which would take a long time to master but at the same time I needed to learn the techniques fast enough. Kalari fit this bill easily. For full-time Kalari practitioners, it takes about 13 years to master it. For me, it will take even more, considering that fact that I practice it for just 6-10 hours a week. So, I can learn it for a decade slowly and surely. You also need a master at most times to correct you always. Many programmes disconnect you after the 10 day ritual. For e.g. in Kalari, you need to do a combination of punches, kicks and jumps. First you have to learn to do it. Then, you have to learn to do it well. Then, you have to improve your speed of doing it & fourthly, you have to perfect it & you need the master’s help in all these phases. Otherwise, it cannot be done.
  2. I have this tendency to ask lot of questions during the early days of learning something & I needed a master who will answer those patiently ๐Ÿ™‚ Fortunately for me, the master under whom I’m learning now, is very patient and answers in detail about whatever questions I ask, even though they are stupid/silly for most of the time.
  3. I needed a flexible schedule. 10 day programmes are useless here. For a programme to be flexible, it has to happen over a period of time, so that you can always catch up. Here, we have flexible timings ;-). So, if I miss a class or two because of office or anything else, I can catch up during Saturday or Sunday.
  4. I needed a team. Jogging alone or doing yoga alone will seem awesome for a few days. But not for long. You will get bored soon. With Kalari, it doesn’t happen. Three of us (myself and 2 of my school friends) joined & every class is exciting. A fourth person joined & soon, we started practicing in groups of two. During weekends, we have a few experienced guys coming in, who have learned & practiced Kalari for 5-6 years. With them around, it will be awesome!
There are actually lot more reasons for joining Kalari. But I won’t bore you with all that ๐Ÿ™‚ so, if you wish to join, contact my master Kumar at +91-98418-97119. He will be able to help you.
Usually people will have too much enthu in the initial days & then they will completely drop off. If you start Kalari and enjoy it, take it slowly. Try to reduce the enthu and ease it into your schedule. Then, it will stay with you for long. I will also try and post a few videos of myself and my friend fighting with bare hands and using a lathi.
Have a great day!

P.S. I have honoured Google Chrome by using writing this post on Chrome ๐Ÿ˜‰ hehehe…

Posted by Aswin Anand Filed in Casually Speaking ..., kalari
2 Comments »