Skip to content

Security analysis of eight Brazilian mobile banking applications in the Android platform

Notifications You must be signed in to change notification settings

rafajunio/sec-banks-br

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 
 
 
 
 

Repository files navigation

Security Analysis of Brazilian Banking on Android

We present a security analysis of eight Brazilian mobile banking applications in the Android platform, spanning more than 4 years. The scope included security aspects of the application, server configuration, and connection between app and server. We demonstrate impersonation attacks were possible against most banks, allowing an attacker to obtain sensitive data.

The analyzed banks

  • N|Solid: Banco do Brasil
  • N|Solid: Bradesco
  • N|Solid: Caixa Econômica Federal
  • N|Solid: Citibank
  • N|Solid: HSBC
  • N|Solid: Itaú Unibanco
  • N|Solid: Nubank
  • N|Solid: Santander

Tools used

Our attack environment supposed an Android smartphone connected to a wireless local network, where a malicious computer is also present. We use the following tools:

Tool Description
Wireshark Network protocol analyzer.
APK Downloader Download APK files from Playstore to PC.
dex2jar Work with android .dex and java .class files.
JD-GUI Is a standalone graphical utility that displays Java source codes of ".class" files.
arpspoof Is a dsniff tool that makes ARP spoofing.
OpenSSL OpenSSL is a robust, commercial-grade, and full-featured toolkit for the TLS and SSL protocols.
SSLsplit Transparent SSL/TLS interception.
Qualys SSL Labs SSL Labs is a collection of documents, tools and thoughts related to SSL.

Command line to extract APKs files at Linux:

Inside each month folder you can use:

$ gpg -q --batch --passphrase `echo GoogleBotPleaseDont` -o <apk_name> -d <apk_name>.gpg

Example:

$ cd collects/09-december2019/apks
$ gpg -q --batch --passphrase `echo GoogleBotPleaseDont` -o BB_br.com.bb.android.apk -d BB_br.com.bb.android.apk.gpg

Disclaimer

All apps are in original form without any modification and they are here for academic purposes only. Please do not distribute

About

Security analysis of eight Brazilian mobile banking applications in the Android platform

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published