Citibank Android App Vulnerability


Citibank's servers don't check the integrity of their Android app when it connects to their servers. It is therefore easy to modify the app, adding trojan code that does malicious things. An attacker who can trick people into using the trojaned app can exploit them.

This vulnerability does not affect people who are using the genuine app from the Google Play Store. It would only harm people who are tricked into installing a modified app from a Web site, email, etc.

The Proof of Concept code below merely logs the user ID and password, where other apps on the phone can see it, but there's nothing preventing a better programmer from sending that data, and all the other data the app has, out over the Net.

Citibank should add integrity-checking to their server-side code. Obfuscating their smali code would also be an improvement. This code has apparently been obfuscated with ProGuard, but that's such weak obfuscation as to be useless. I recommend using a powerful obfuscator like DashO, which would remove all readable strings and make this attack much more difficult.

Proof of Concept: Step by Step

Using the GenyMotion Android emulator, I installed the genuine App from the Google Play Store.

I pulled the APK file from the device with adb, as shown below.

I decoded the APK file with apktool, as shown below.

Finding Vulnerable Code

Since the code is not effectively obfuscated, it contains readable strings.

Searching for "useragent" led me to the V.smali file.

Modifying the App

I modified it in two places:

I rebuilt the APK and signed it:

Running the Modified App

I dragged the APK file from the dist/ directory and dropped it on the emulator to install it.

I launched the app, and attempted to log in with fake credentials.

The user ID and password are in the logs, as shown below.

Notification Timeline

The Citibank Website says they offer support on Twitter!

I followed them at about 9:55 am on Feb. 26, 2015. I hope they will automatically follow back so I can send a DM.

They don't follow back. So I sent this:

I also sent this email:

It bounced.

However, Twitter worked!

Posted 2-26-15 by Sam Bowne