People increasingly rely on mobile devices for banking transactions or two-factor authentication (2FA) and thus trust in the security provided by the underlying operating system. Simultaneously, jailbreaks gain tremendous popularity among regular users for customizing their devices. In this project, we show that both do not go well together: Jailbreaks remove vital security mechanisms, which are necessary to ensure a trusted environment that allows to protect sensitive data, such as login credentials and transaction numbers (TANs). We find that all but one banking apps, available in the iOS App Store, can be fully compromised by trivial means without reverse-engineering, manipulating the app, or other sophisticated attacks. Our study assesses the current state of security of banking apps and pleads for more advanced defensive measures for protecting user data.
To foster future research and improve existing implementations of jailbreak detection mechanisms, we make all developed tools and hooks in the repository at:
https://github.com/intellisec/ios-snoop
A detailed description of our work has been presented at the 4th IEEE European Symposium on Security and Privacy (EuroS&P 2019) in June 2019. If you would like to cite our work, please use the reference as provided below:
@InProceedings{KelHorRieWre19,
author = {Ansgar Kellner and Micha Horlboge and Konrad Rieck and
Christian Wressnegger},
title = {False Sense of Security: A Study on the Effectivity of
Jailbreak Detection in Banking Apps},
booktitle = {Proc. of the {IEEE} European Symposium on Security and
Privacy ({EuroS\&P})},
year = 2019,
month = jun,
day = {17.--19.}
}
A preprint of the paper is available here.