Tuesday, January 20, 2015

(CVE-2015-1314) USAA mobile app gives away your account numbers and balances

If you use the USAA Mobile Banking app for Android, take a moment to ensure it automatically updated to version 7.10.1, released January 19.
If you use the USAA Mobile Banking app for Android, take a moment to ensure it automatically updated to version 7.10.1, released January 19.

USAA typically shines when it comes to security. A considerable proportion of their membership are active duty military and their families - a clientele that certain malicious actors might find great value in distracting from their sworn duties. Financial fraud can be a very effective distraction, and USAA is well aware of this. Generally they do a great job in both providing members with advanced security features as well as education.


Even the best make mistakes though. In using the app recently, I noticed something unusual: at times I would launch the app and briefly see private information before I was prompted to log in.


Security and usability are a constant balancing act - the cost of 100% perfect security is generally a completely unusable product. The goal should always be security that is good enough relative to the value of the thing being secured. This being a mobile banking app, the bar is a bit higher than it might be for less sensitive services, but there still must be a balance.

In that vein, the developers of this app give users a fair bit of control over how to access bank information. USAA was one of the first banks to embrace true two-factor authentication (i.e. a login option that requires more than just a password). If 2FA is enabled, the mobile app uses an additional authenticating factor as part of its installation and configuration, but once installed there is the option to trust the device. From then on only a password or a PIN is required to access USAA banking data (use a password- or biometric-protected lockscreen if you choose this option!).


Smartphones are by design interrupt-driven devices - their primary purpose is (or at least used to be) communication. As a developer, it is completely expected that a person might be using your app, and be interrupted by a phone call, or an SMS message, or any number of other notifications, and leave your app to do something else. USAA handles this by giving the user a choice - you can elect to log in every time you switch back to the banking app, or to stay logged in for a period of time. In the latter case, the app would log you off after 20 minutes, instead of immediately.


And that's where today's flaw arises.


Versions of the USAA mobile banking app for Android prior to 7.10.1 contain a sequencing flaw in which the app displays the last-viewed screen before prompting the user to log in. If that last screen contained sensitive information, such as account numbers and balances, it becomes possible for one to obtain this information without authorization. Whether it were 20 minutes later, or a week later, launching the USAA mobile app would show the following briefly before requiring a password or PIN:


The USAA mobile banking app for Android would display the last-viewed screen, which could include bank account numbers and balances, before prompting the user to log in.

I would not consider this a severe risk. It cannot be exploited by a remote attacker - it requires physical access to the mobile device. It also requires that the attacker is able to log in to the Android device. Of course, if you neglect to put a password, PIN, or biometric (fingerprint / finger-swipe) control on your phone, that is no comfort. Then again, if you neglect to put a password on your device, everything on your phone is at risk if your phone is stolen or lost. I have not found it possible to take action without authenticating - the banking app screen is shown for perhaps a second or two before a login prompt appears. Nonetheless, it is an unauthenticated information disclosure issue with the app.


Kudos to USAA for quickly fixing this issue. With the 7.10.1 version, instead of seeing a screen full of personal information, the following appears first; upon clicking a menu option that would display sensitive information, the login screen appears before any data is displayed:


With the fixed version, the app goes straight to a menu, showing no personal information, and requires the user to log in before displaying any sensitive data.

Timeline:

  • December 30 2014 - alerted USAA customer service. Received acknowledgement that my finding had been "submitted to the appropriate group for further review" about 2 hours later.
  • January 19, 2015 - USAA releases version 7.10.1, with only "bug fixes" mentioned in the release notes.
  • January 22, 2015 - This vulnerability has been assigned the ID CVE-2015-1314.

Coverage on the net:
Update April 1, 2015 Unfortunately, version 7.12.2 of the Android app appears to have re-introduced this flaw. I have again reported it to USAA and hope for a quick fix.