09:22 AM
Jailbreaking Joins the List of Security Issues For Mobile Banking Developers to Ponder
Mobile banking program developers have a lot of security issues to think about, the latest of which is iPhone jailbreaking. Last week, the Librarian of Congress and the U.S. Copyright Office said that the Digital Millennium Copyright Act, a law that forbids anyone from breaking through encryption technology to copy or modify copyrighted works, does not apply to the copyrighted encryption built into the bootloader that starts up the iPhone OS operating system, as Apple claimed it did. The Copyright Office concluded that, "while a copyright owner might try to restrict the programs that can be run on a particular operating system, copyright law is not the vehicle for imposition of such restrictions." This means that not only is jailbreaking - in other words, unlocking a phone without carrier and/or manufacturer approval - easy to do and common, but the U.S. government has made it legal.An interesting article about jailbreaking on the iPhone on the Mobile Manifesto site explains that earlier this week the Unofficial iPhone Dev Team, the de facto iPhone jailbreak providers, released a new method for jailbreaking iPhones. "The simplicity of their last jailbreak set off proverbial alarms across the mobile security and risk management community," the site says.
Previous jailbreak methods were cumbersome and idiosyncratic. Users wanting to jailbreak their phone would have to download a file, jump through some hoops and 30-40 minutes later their Phone would be free. Unfortunately, after the jailbreak, all of their applications were gone and they would have to reinstall everything from scratch. Each upgrade required repeating the entire painful process.Apple has a web page dedicated to the dangers of jailbreaking one's own iPhone, but it does not address the issue of being a hapless victim to an external break-in. The company said Wednesday that it's already developed a fix to this problem that will be available to customers in an upcoming software update. It did not respond to a request for more information this morning.The old process worked by bypassing Apple's signing process. It was not something my mom would have ever attempted to try on her own.
The new jailbreak method exploits a vulnerability in Safari and is super simple. You can now jailbreak your phone by simply connecting to a website and swiping your finger. (If you want to see it, the site is: https://www.jailbreakme.com)
The whole process takes about 3 minutes and leaves all of your applications in place. It is a no fuss no muss approach and something my mom could do to be one of the cool kids.
The Mobile Manifesto site envisions a worst-case scenario in which "bad guys trick iPhone users onto navigating to their site or attaching a file to an email that once opened, quietly jailbreaks their phone. Once the process is complete the phone would look and feel just like nothing happened at all. Except now, maybe the iPhone secretly has key logger software installed that steals usernames and passwords from mobile banking. Or maybe the hacker can hijack a browser session to go where they want it to go and not where users expect to go. Usernames, passwords, financial information including balances and name of banks can all be siphoned off to someone who wants to take money. The bad guy could even look at your anti-phishing site keys."
The article suggests that banks and software vendors can do little in their applications to prevent these types of attacks, but will have to pay for them.
In another, unrelated incident with similar potential consequences that I wrote about last week, Citi discovered during a software review that its mobile iPhone banking app was accidentally saving information related to customer accounts in a hidden file on their iPhones. This would obviously be problematic in the case of a stolen phone. Citi fixed the glitch and issued a software update immediately.
The really tricky thing about both of these iPhone security issues, in my view, is that even if a bank responds quickly the way Citi did or the operating system provider issues an update eventually, as Apple has promised it will, the security of the device still depends on customers being aware and upgrading their software to absorb the fix right away. Perhaps banks and mobile device manufacturers need a way to push such upgrades to devices. And maybe banks should offer mobile device IT support in their branches and call centers. Although it would be an expense, it could help prevent some costly fraud incidents and help banks keep their mobile banking programs, which grow in size and importance every day, on track.