Android Security Symposium 2017

State of security of Android banking apps in Poland

About the speaker

Tomasz Zieliński

PGS Software S.A., Wrocław, Poland
Tomasz Zieliński – Android team lead at PGS Software. In the past he maintained financial systems at National Bank of Poland, developed Bing at Microsoft, helped in production of Angry Birds and cared for embedded software for trams and buses. He used to be a public data re-use activist, in 2012 he was invited by European Commision to speak in Brussels about his experience of re-use of public transport data in Poland. Graduated from University of Wrocław. Active paraglider pilot.

Abstract

In the 2nd half of 2016 we reviewed 20 Android banking applications, released and
maintained by banks operating in Poland. We found a number of problems, ranging from
minor errors in APK packaging, through data loading via insecure connection, lack of
certificate pinning, exported activities, debug code present in apps, leak of session
token, up to session takeover and user data exposure. Presentation will cover observed
vulnerabilities. I will also tell you about the process of contacting bank's security
departments and responsible disclosing of sensitive information. If time allows, we
will investigate implications of using 3rd party services like Crashlytics or
Facebook SDK.

Slides

Get the slides here.

The full whitepaper can be downloaded here: The Level of Security of Mobile Banking Applications in Poland (PGS Software, Nov. 2016).

Video

yorandomusmilelink