Security analysis of MitID and other mobile apps
The effort started with a security analysis of major Brazilian banking applications in the Android platform. It considered the SSL/TLS configuration (supported standards, algorithms, and other settings) at the server-side and public key certificate validation performed on the client-side. We discovered that six out of the seven major Brazilian banks did not appropriately protect against man-in-the-middle attacks, making it possible for an attacker in control of the communication infrastructure to collect authentication credentials and sensitive financial information.
Vulnerabilities were disclosed to the interested parties in May 2015, following standard industry practice, and the findings received coverage in Brazilian news. After that, the effort continued beyond the initial disclosure by monitoring security issues in these apps every six months, concluding that security posture oscillates quite a bit as mobile apps receive interface overhauls and new features frequently. These results produced a technical report, which was novel in conducting such an extensive security analysis over a significant amount of time (4 years).
In the last few years, the project has been expanded and adapted the prototype approach for the courses taught in Network and Systems Security. The result is a quick training guide using industry-standard tools for students to conduct security analysis that considers aspects of software security, network communication, authentication mechanisms, and privacy. Around 50 Android applications (mainly from Denmark) have been analyzed using this methodology, which surfaced numerous vulnerabilities in the insecure deployment of cryptography and API design, weak authentication workflows, and session management. In several cases, the vulnerabilities were critical enough to warrant extremely careful disclosure to the interested parties using secure means.
A remarkably successful example that illustrates the effort was the detection of vulnerabilities related to inadequate information disclosure, social engineering threats, and Denial of Service attacks during the deployment of the new MitID system.