ICICI Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, study it in detail and write this post. According to the website, until the Reserve Bank of India comes out with mobile banking guidelines and approves it, mobile banking is supposed to be halted. Technically, it means that, all existing users shouldn’t be able to use the service what-so-ever and new user signups should be prevented & a notification stating that they should retry later should be shown.

Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:

  1. Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
  2. The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.

Which brings me to explain Step 2 in detail:

On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first <script> tag. It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.

What filename do you have to give and How?

That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar :) Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.

Where ICICI Bank failed?

  1. They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 – Resource Not Found” error. Got it? Implementing this is pretty simple.
  2. There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 – Resource Not Found” error page.
  3. Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
  4. There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?

That was a long post already :) We still have some more to go. Lets take a break.

Tea Break Image Credits

Back? Ok šŸ˜€ Now, lets dissect the actual JAR file and look into the technical details of its implementation.

The Manifest File:

Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.

Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.

Some more Holes:

Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.

What should the bank do here?

  1. Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
  2. I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
  3. There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
  4. Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.

Suggestion for Users:

Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.

Thats about it !

Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.

If you liked this article, kindly do me a favour by digging it. Thanks for your time.

Update: There seems to be some problem when the API is being accessed from my domain. Kindly try hosting the script in your own domains.

Hi friends, if you are in India and if you are developing software prototypes which has to send SMS alerts to various Indian mobile numbers, you neednā€™t spend a lot to buy SMS credits at the various sites. Over the last weekend, I spent some time hacking up a quick SOAPĀ based web service which you can consume in your programs.

Please note that you need to create an account at www.way2sms.com before proceeding further.

How to Use – Method 1:

Currently the web service is active at http://www.aswinanand.com/sendsms.php. This accepts four parameters.

Parameter Name Description
uid This represents theĀ 10 digit phone number with which you have to login at way2sms.
Note: This web service may not work if you try logging in with email address.
pwd Your way2sms password
phone One or more phone numbers to which SMS has to be sent. Phone numbers should be separated by semicolon (;). E.g. 9812345678;9933445566
msg Message that has to be sent.

The URL – http://www.aswinanand.com/sendsms.php – can be invoked with the parameters as follows:

http://www.aswinanand.com/sendsms.php?uid=9933445566&pwd=password&phone= 9812345678;9933445566&msg=Hello+World

You can also do a HTTP POST to the same URL to send the SMS. Here’s an example:

<form method=”post” action=”http://www.aswinanand.com/sendsms.php“>
<input type=”hidden” name=”uid” value=”9933445566″ />
<input type=”hidden” name=”pwd” value=”password” />
<input type=”hidden” name=”phone” value=”9812345678;9933445566″ />
<input type=”hidden” name=”msg” value=”Hello World” />
<input type=”submit” value=”Send SMS” />
</form>

How to Use – Method 2:

The functionality is also exposed as a SOAP (Simple Object Access Protocol) WSDL (Web Service Description Language). WSDL can be accessed at http://www.aswinanand.com/sendsms.php?wsdl. To know more about how to use this WSDL in Microsoft Visual Studio, check out this article.

Deploying on your own Server:

To deploy this SMS script on your own server, first download the source code & follow the instructions:

  1. Let us assume that you wish to run the service at http://www.example.com/sms/sendsms.php. Here, http://www.example.com/ is your domain, “sms” is the folder and “sendsms.php” is the PHP script in that folder.
  2. Hence, using FTP or SSH, login to your domain hosting space and create a folder named “sms”.
  3. Extract the source code to the “sms” folder. If you don’t want to expose a SOAP WSDL, feel free to skip to step 6.
  4. Since the SMS source code supports SOAP, you have to download the ‘nusoap’ library. Then extract the ‘nusoap’ library to the same “sms” folder.
  5. Once everything is extracted, the folder structure should be:
    • example.com
      • sms/
        • sendsms.php
        • htmlparser.inc (optional)
        • nusoap/
          • class.nusoap_base.php
          • class.soap_transport_http.php
          • class.wsdlcache.php
          • class.soap_fault.php
          • class.soap_val.php
          • class.xmlschema.php
          • class.soap_parser.php
          • class.soapclient.php
          • class.soap_server.php
          • class.wsdl.php
          • nusoapmime.php
          • nusoap.php
  6. Try accessing your web service at http://www.example.com/sms/sendsms.php now.
You can use the same parameters described above for sendsms.php and access it as:

http://www.example.com/sms/sendsms.php?uid=9933445566&pwd=password&phone= 9812345678;9933445566&msg=Hello+World

or you can also do a HTTP POST as indicated above.

License Information:

The source code is licensed under “Creative CommonsĀ Attribution-Noncommercial”. Downloading the file(s) mean that you have agreed license terms.

Download:

Download the PHP source code here.

Other Languages:

Currently this SMS web service is available in the following programming languages:

Misc:

If you liked this web service, please digg it :) . Kindly take it for a test drive and let me know if you find any bugs.

Hey guys! I discovered two feed proxies.

  1. http://www.netvibes.com/proxy/feedProxy.php?test=1&url=__FEED_URL__
  2. http://my.live.com/cfw/news.aspx?fetchurl=__FEED_URL__

Replace the __FEED_URL__ with the feed URL of your choice. Of the two feed proxies above, I like Netvibe’s proxy as the best because of the following reasons:

  1. Feed output is JSON. This means that, netvibes has done all the necessary work to convert feeds of any type (RSS, ATOM, RDF etc.) into JSON.
  2. If you are writing aĀ script to examine feeds from various sites, you have only one data structure to deal with šŸ˜‰
  3. Almost all programming languages support JSON. Refer to www.json.org for JSON libraries available for various programming languages.
  4. JSON by itself is very lightweight and eliminates most of the overhead of XML, thereby preserving bandwidth.
  5. A simple program in VB.NET to parse a JSON structure and get the required feedĀ data in a Dictionary datatype is only about 9 lines of code. In Ruby, it will be even lesser. Compare the same with XML output. Even though feed parsers are available, you have to create your own wrapper above everything to get everything to work out properly. Reuse what you already have (DRY Principle). Netvibes has already done the bull work to convert all kinds of feeds intoĀ a common format.
  6. Best of all, no authentication is necessary toĀ access these linksĀ šŸ˜€

Live.com’s feed proxy returns the actual feed output. So, if the feed you are referring to gives RSS output, this proxy returns that. The same happens with ATOM, RDF etc. Keep watching this space. I will update the post with other feed proxy URLs that I encounter. If you go across any, please mention them in the comments section.

Ā 

Two things today:

Few days ago, I was searching for information on NTFS and found 2 amazing articles from the good old MSJ (Microsoft Systems Journal). The links are below. Do go through them when you find time. Even though the articles are old, they offer a wealth of information.

  1. Windows NT 5.0 File System – http://www.microsoft.com/msj/1198/ntfs/ntfs.aspx
  2. NTFS Change Journal – http://www.microsoft.com/msj/0999/journal/journal.aspx

There areĀ lot more articles available. I will post the links as and when I read them. Nice stuff !


As you already know, I have enabled keyboard shortcuts on my gmail account. Gmail actually shows you the list of available shortcuts right inside your mailbox, without us having to visit the keyboard shortcuts page. To access the list of keyboard shortcuts, you need to press “?” key, which is “Shift + /“. You will get the translucent black popup as shown in the below screenshot. You can press any key to close it.

Keyboard Shortcuts

Click the image to see a larger version.

New post on tech blog

February 8th, 2007

After a long time, I have done a post on my tech blog. The post is about “sc.exe”

Read about it.