Visible to the public False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps

TitleFalse Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps
Publication TypeConference Paper
Year of Publication2019
AuthorsKellner, Ansgar, Horlboge, Micha, Rieck, Konrad, Wressnegger, Christian
Conference Name2019 IEEE European Symposium on Security and Privacy (EuroS P)
Keywordsauthentication, bank data processing, Banking, banking app, banking transactions, compositionality, data protection, feature extraction, Human Behavior, human factors, ios, iOS App Store, iOS Security, jailbreak detection, Jailbreak Evasion, Kernel, message authentication, Metrics, Mobile communication, mobile computing, mobile devices, operating system, operating systems (computers), pubcrawl, resilience, Resiliency, sensitive data protection, smart phones, Study, Trusted Computing, trusted environment, two-factor authentication
AbstractPeople increasingly rely on mobile devices for banking transactions or two-factor authentication (2FA) and thus trust in the security provided by the underlying operating system. Simultaneously, jailbreaks gain tremendous popularity among regular users for customizing their devices. In this paper, we show that both do not go well together: Jailbreaks remove vital security mechanisms, which are necessary to ensure a trusted environment that allows to protect sensitive data, such as login credentials and transaction numbers (TANs). We find that all but one banking app, available in the iOS App Store, can be fully compromised by trivial means without reverse-engineering, manipulating the app, or other sophisticated attacks. Even worse, 44% of the banking apps do not even try to detect jailbreaks, revealing the prevalent, errant trust in the operating system's security. This study assesses the current state of security of banking apps and pleads for more advanced defensive measures for protecting user data.
Citation Keykellner_false_2019