We present a security analysis of eight Brazilian mobile banking applications in the Android platform, spanning more than 4 years. The scope included security aspects of the application, server configuration, and connection between app and server. We demonstrate impersonation attacks were possible against most banks, allowing an attacker to obtain sensitive data.
- : Banco do Brasil
- : Bradesco
- : Caixa Econômica Federal
- : Citibank
- : HSBC
- : Itaú Unibanco
- : Nubank
- : Santander
Our attack environment supposed an Android smartphone connected to a wireless local network, where a malicious computer is also present. We use the following tools:
Tool | Description |
---|---|
Wireshark | Network protocol analyzer. |
APK Downloader | Download APK files from Playstore to PC. |
dex2jar | Work with android .dex and java .class files. |
JD-GUI | Is a standalone graphical utility that displays Java source codes of ".class" files. |
arpspoof | Is a dsniff tool that makes ARP spoofing. |
OpenSSL | OpenSSL is a robust, commercial-grade, and full-featured toolkit for the TLS and SSL protocols. |
SSLsplit | Transparent SSL/TLS interception. |
Qualys SSL Labs | SSL Labs is a collection of documents, tools and thoughts related to SSL. |
Inside each month folder you can use:
$ gpg -q --batch --passphrase `echo GoogleBotPleaseDont` -o <apk_name> -d <apk_name>.gpg
Example:
$ cd collects/09-december2019/apks
$ gpg -q --batch --passphrase `echo GoogleBotPleaseDont` -o BB_br.com.bb.android.apk -d BB_br.com.bb.android.apk.gpg
All apps are in original form without any modification and they are here for academic purposes only. Please do not distribute