Dissecting iMobile – Security Analysis of ICICI Mobile Banking App
September 27th, 2008
ICICI Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, study it in detail and write this post. According to the website, until the Reserve Bank of India comes out with mobile banking guidelines and approves it, mobile banking is supposed to be halted. Technically, it means that, all existing users shouldn’t be able to use the service what-so-ever and new user signups should be prevented & a notification stating that they should retry later should be shown.
Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:
- Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
- The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.
Which brings me to explain Step 2 in detail:
document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;
. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.What filename do you have to give and How?
Where ICICI Bank failed?
- They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 – Resource Not Found” error. Got it? Implementing this is pretty simple.
- There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 – Resource Not Found” error page.
- Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
- There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
That was a long post already ๐ We still have some more to go. Lets take a break.
Back? Ok ๐ Now, lets dissect the actual JAR file and look into the technical details of its implementation.
The Manifest File:
Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.
Some more Holes:
What should the bank do here?
- Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
- I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
- There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
- Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.
Suggestion for Users:
Thats about it !
Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.
If you liked this article, kindly do me a favour by digging it. Thanks for your time.
Conversation
September 25th, 2008
Few days ago, I was chatting with a guy in my office. It goes without saying that the guy is far more experienced than me.รย Myself and my team mate were showing a prototype UI & this conversation happened.รย Here’s how it went:
Me: Please check this functionality & let us know if you have questions.
Guy: Keeps his left hand on his chin, turns his head slightly, squints at the monitor, pointing his right hand at the webpage & without checking an ounce of functionality, says … The UI doesn’t look good. Make changes to it.
Me: Okay… We are working on it.
Guy: Suddenly stares at me with a blank expressionรย & says … Hey don’t use “div” tag.
Me: (I’m obviously confused) … Why not?
Guy: Stares again and says … Major browsers don’t support it well !!
That hit me – like a brick – on the head and I was dazed for a second. Team mate and myself burst out laughing and walked out of the room ๐
Oh! did I mention that it was supposed to be a “technical” discussion?
Kalari – Oh! yes
September 21st, 2008
Its been about 2 and a half months since I started going to the Kalari classesรย and I’m still going. Stamina has improved by a good extent and I’m able to note the difference between now and then. I have also started losing fear of sharp weapons such as daggers and vett aruvals. Overall, its been a very nice time every alternate morning for two hours at YMCA Nandanam.
So, what’s been the main driving factor to get me to join Kalari apart from other fitness activities such as gym, yoga etc.?
- Yoga and gym are a few days activities at the teacher’s place, which means I have to practice it on my own afterwards. That requires tremendous mental toughness & moreover, altering your schedule to fit in yoga or gym in place of sleep is a tough. Hence, I needed something which would take a long time to master but at the same time I needed to learn the techniques fast enough. Kalari fit this bill easily. For full-time Kalari practitioners, it takes about 13 years to master it. For me, it will take even more, considering that fact that I practice it for just 6-10 hours a week. So, I can learn it for a decade slowly and surely. You also need a master at most times to correct you always. Many programmes disconnect you after the 10 day ritual. For e.g. in Kalari, you need to do a combination of punches, kicks and jumps. First you have to learn to do it. Then, you have to learn to do it well. Then, you have to improve your speed of doing it & fourthly, you have to perfect it & you need the master’s help in all these phases. Otherwise, it cannot be done.
- I have this tendency to ask lot of questions during the early days of learning something & I needed a master who will answer those patiently ๐ Fortunately for me, the master under whom I’m learning now, is very patient and answers in detail about whatever questions I ask, even though they are stupid/silly for most of the time.
- I needed a flexible schedule. 10 day programmes are useless here. For a programme to be flexible, it has to happen over a period of time, so that you can always catch up. Here, we have flexible timings ;-). So, if I miss a class or two because of office or anything else, I can catch up during Saturday or Sunday.
- I needed a team. Jogging alone or doing yoga alone will seem awesome for a few days. But not for long. You will get bored soon. With Kalari, it doesn’t happen. Three of us (myself and 2 of my school friends) joined & every class is exciting. A fourth person joined & soon, we started practicing in groups of two. During weekends, we have a few experienced guys coming in, who have learned & practiced Kalari for 5-6 years. With them around, it will be awesome!
P.S. I have honoured Google Chrome by using writing this post on Chrome ๐ hehehe…