Banking iPhone App Bypasses Parental Controls
May 27, 2011 . Posted in security.
ASB Bank has recently released an iPhone app. It’s yellow and it’s currently the number one app in New Zealand. No surprises here. However many of their customers have immediately slammed the bank for not really building a native app but just a mobile website wrapper.
I was very surprised to see just how many 1 star reviews there are in the app store for this reason alone but this blog post is not about the star rating of the app.
What really surprised me is the fact that the mobile site has not been customized to accommodate the new app. Basically any user can have a full web experience with just a few taps. This can be good in certain scenarios but in this case I believe it is quite bad.
Worst case scenario
Let’s assume John buys his child an iPhone or iPod touch. He then goes and enables Parental Controls on this device.
John now gives the device to his child knowing that he has done his best to enforce the web browsing rules that he wanted. This is where the ASB iPhone app comes into play. With just a few taps (demonstrated below), John’s kid will be browsing the web freely, in a FastNet Classic branded app.
Let’s what happened here.
- Start up the app
- On the Login Screen tap “Go to regular asb.co.nz”
- After the main page loads, tap “Follow us on Twitter”.
Obviously, from the Twitter search box John’s kid can go anywhere: whether it’s @google’s account or @LadyGaga’s it doesn’t really matter. What matters is that Twitter does not curate the links, photos or homepages that people link to. This is precisely what John wanted to prevent!
Who’s to blame?
- The easiest option would be to point the finger at Apple and ask why the mobile web view does not obey the parental control rules. To answer this question I would like to point out that mobile web views can be used for many things other than browsing the web. One simple example would be displaying a bundled HTML file.
- Once again, maybe Apple should be blamed for not preventing HTTP calls when Safari is blocked via parental controls. Again this is not really an option since games and other apps consume internet services.
- Or maybe ASB can be blamed for not building a native app and relying on a wrapper for their mobile website? I honestly don’t think there is anything wrong with doing this. The experience is inferior, the look and feel is not the best and the user interface gets downloaded every time, however this mobile web view approach does not force the scenario above to happen.
What I think happened is that the scenario I described above simply wasn’t considered.
Is there a solution?
There is a way to fix this and luckily it’s not hard at all. What I think ASB’s technical department should do is:
- point a crawler to the mobile site and follow all the links until a non-ASB page is loaded
- analyse all these links and make a decision on whether they are “safe” or not
- implement user agent detection or have the iOS app use a custom HTTP Header that causes external links not to be displayed / loaded
Conclusion
I have no doubt that ASB had nothing but good intentions when they decided to build this iPhone app. However they are a bank, they have lots of customers and their app is likely to be installed even by non-customers who just want to check out ASB’s offering. I am sure ASB will eventually plug this security hole and bring this to an end, however their 1 star reviews will linger and none of them (as far as I know) even touch on the issue described above.
From a technical standpoint the lesson here is that a UIWebView control can be very dangerous if careful thought is not put into how it’s used. Surely ASB does not want people to be able to tweet screenshots that have a FastNet Classic navigation bar and a collegehumour.com content view…
Cheers…
Tagged: apps, iPhone, review, security
