Bank of America Android App Vulnerability

Summary

Bank of America's servers don't check the integrity of their Android app when it connects to their servers. It is therefore easy to modify the app, adding trojan code that does malicious things. An attacker who can trick people into using the trojaned app can exploit them.

This vulnerability does not affect people who are using the genuine app from the Google Play Store. It would only harm people who are tricked into installing a modified app from a Web site, email, etc.

The Proof of Concept code below merely logs the ATM Card number and PIN, where other apps on the phone can see it, but there's nothing preventing a better programmer from sending that data, and all the other data the app has, out over the Net.

Bank of America should add integrity-checking to their server-side code. Obfuscating their smali code would also be an improvement.

Proof of Concept: Step by Step

Using the GenyMotion Android emulator, install the genuine App from the Google Play Store.

Pull the APK file from the device with adb, as shown below.

Decode the APK file with apktool, as shown below.

Use grep to locate interesting files as shown below.

Modify the AtmDebitDetailsActivity.smali.smali file in three places to steal the card number and PIN, as shown below.

Build the APK and sign it, as shown below.

In the emulator, uninstall the BofA app.

Drag the APK file from the dist/ directory and drop it on the emulator to install it.

Launch the app.

Click on "Enroll in Online & Mobile Banking"

Click on "Get Started"

Click on "ATM or Debit Card"

Enter a fake card #, PIN, and Last 4. Click Continue

The ATM number and PIN are in the logs, as shown below.

Update: 5-22-15

Bank of America updated their app on 3-26-15

But it's still vulnerable. Here's the enrollment page for a business card user:

Here's where I put the Trojan code:

Here are the stolen credentials:

Testing 10-5-15

I tested the latest version of the app:

I put the same Trojan in the code.

This version has a different patter of clicks to reach the vulnerable part of the code.

On the main page, click "Need help with your ID, Passcode,or enrollment?".

Then click "Enroll in Online and Mobile Banking", "Get Started", and "ATM or Debit Card".

The result is the same; entering credentials here:

Causes them to leak into the log:

Timeline

I notified BofA on Feb. 7, 2015, as shown below.

The app was updated on Feb. 25. I re-tested it on 3-11-15 but this vulnerability was still the same.

I re-tested it on 5-22-15 but this vulnerability was still the same.

I re-tested it on 6-14-15 but this vulnerability was still the same.

For a while I thought they had fixed it but I was in error.

I met a BofA security officer at B-SidesLV in 2015 and he said they don't care about this and they don't plan to fix it.


Updated 6-13-15 with Fix!
Updated 6-14-15 with "still vuln after all"
Updated 10-5-15; still vulnerable the same way.