Wednesday, April 26, 2017

Following up on yesterday's note.

Following on from yesterday's note, I did a quick scan to see if the unencrypted Enstream problem had propagated to ScotiaBank Android 17.3.2 or not.

The short answer is I did a quick check, and it's still talking to Bell over HTTP not HTTPS. 

Whilst Scotiabank has taken a step in the right direction to keep out the script kiddies from a national banking app by employing reasonable levels of obfuscation, it's still to resolve the same security problems introduced in December, posed by communicating with third parties over unencrypted urls.