Wednesday, April 26, 2017

Following up on yesterday's note.

Following on from yesterday's note, I did a quick scan to see if the unencrypted Enstream problem had propagated to ScotiaBank Android 17.3.2 or not.

The short answer is I did a quick check, and it's still talking to Bell over HTTP not HTTPS. 

Whilst Scotiabank has taken a step in the right direction to keep out the script kiddies from a national banking app by employing reasonable levels of obfuscation, it's still to resolve the same security problems introduced in December, posed by communicating with third parties over unencrypted urls.

Tuesday, April 25, 2017

Success! Scotiabank finally stepped up to the security plate.

It's been a while since I posted as I've been quite busy with other commitments. So, this is just a quick update...

As the world and it's dog knows, I've been campaigning about the abysmal lack of security in Scotiabank's mobile apps for over a year and even banned their use in our house.  It may be purely coincidental that they finally implemented some security after I published my book - or it may not be coincidence.

Here's the paragraph from my book on this issue.

(Click for embiggened version).

Either way, I may never know as it's not like Scotiabank ever communicates with me, but this measure will finally keep out the script kiddies at least - so I consider this a success.

When I've got some spare time, I'll check this release properly to see how many holes remain... Despite all the usual marketing news that people fall for, the actual apps put out since December 2016 (when Scotiabank launched that HCE integration using Enstream) have been talking to Bell's BWANET API endpoint over a non-https connection, so that definitely needs to be checked to see if they've propagated that hole into the new .so libraries.

This is the actual URL it connected to.

Scotiabank and I differ on this subject, but whilst they were trying to tell everyone that they're secure, I could see no valid reason for a banking app to communicate with third parties over a non-secure connection, let alone with Bell (who are about as secure as a chocolate safe in a heatwave at the best of times).  Given Scotiabank still pushed out apps with that hole, we can only infer that Scotiabank was perfectly fine with that.