(In)Secure Digital Wallets

Posted by Miguel Lopes on Thu, Sep 8, 2016
In Android, Security,

After a pentest to a Portuguese financial institution I decided to keep an eye on the sector and look for potential flaws. What I have found is at least concerning and makes me ask when will legislation to oblige (at least) financial institutions to properly assess the vulnerabilities of their software and infrastructure.

One of the players in the market that I was analysing had an App to be used as a digital wallet. I thought that would be a good place to start so after setting up the App I noticed that it was based on Apache Cordoba which allows programmers to make applications for mobile platforms only using HTML, CSS and JS (not what I was expecting). With that discovery I diverted my attention to the assets folder where all the code was stored and there I found this login function (along with a plain http API_URL).

var m_username = $('#m_username').val();
var m_password = Base64.encode($('#m_password').val());

var request = {
request.url = API_URL;
request.method = 'post';
request.dataType = 'json';
request.data = {

   'm_username': m_username,
   'm_password': m_password

After seeing this I didn’t belive it I thought maybe it was some testing code or a decoy. So I started the App on a emulator fired up Wireshark tried a random login and there it was the login username in clear text and the password encoded in Base64 on a http connection.

This is not some random game or funny app this is a digital wallet in production on a financial institution. There should be legislation to require companies to ensure that their software complies with secure guidelines.

comments powered by Disqus