Dissecting iMobile – Security Analysis of ICICI Mobile Banking App

September 27th, 2008

ICICI Bank’s iMobile website has some of the worst server side validations ever, which is what prompted me to download the mobile app’s JAR file, study it in detail and write this post. According to the website, until the Reserve Bank of India comes out with mobile banking guidelines and approves it, mobile banking is supposed to be halted. Technically, it means that, all existing users shouldn’t be able to use the service what-so-ever and new user signups should be prevented & a notification stating that they should retry later should be shown.

Therefore, in this scenario, I shouldn’t have been able to download the app to my mobile device. The website of ICICI fails in not enforcing this by providing the following ways:

  1. Existing users who have already installed the app are given an option to ‘Upgrade’ from within the mobile app itself. This opens up a webpage in the phone’s native browser, whose URL is http://mobile.icicibank.com/upgrade?version=null.
  2. The actual iMobile website has some stupid javascript validation, which is very easy to bypass using modern browsers. Heck, just by browsing the HTML source code of the page, you will be able to easily find the URL for the application JAR files. Put 2 and 2 together and you will be able to download the app.

Which brings me to explain Step 2 in detail:

On any browser, go to View->Source. This will display the source code of the rendered HTML page. Notice the first <script> tag. It contains many functions & the most important functions to us are “submitForm” and “displayOption”. The line of interest in submitForm method is document.jump1.action="https://infinity.icicibank.co.in/web/apps/"+fileName;. That line pretty much gives away everything. All you have to do is, navigate to the above mentioned URL and append a filename to it for download.

What filename do you have to give and How?

That’s where our displayOption function is very useful. That function contains a set of simple If-Else conditional statements, which have the respective filenames. For e.g. if you want to download “M20P1520ALL1.jar”, then just append it to the URL & access it using the address bar. Therefore, the URL becomes https://infinity.icicibank.co.in/web/apps/M20P1520ALL1.jar 🙂 Being a JAR file, most browsers will display a “Save As” dialog box. Now, just download the file and transfer it to your mobile. The application is fairly straight forward.

Where ICICI Bank failed?

  1. They should have disabled the link mentioned in #1 above and replaced it with some text that says, “RBI mobile banking guidelines blah blah…”. But some clever users will bookmark the link to the JAR file and try to access the JAR file by bypassing the link itself. When they do that, the web server should return a “404 – Resource Not Found” error. Got it? Implementing this is pretty simple.
  2. There shouldn’t have been such a lot of useless javascript on the page. Firstly, they should have removed the device selection drop down box. Secondly, they should have replaced this page with an alternative. Thirdly, this mobile banking link should have been removed in the home page itself. Fourthly, they should have validated on the server for JAR file downloads and should have displayed the “404 – Resource Not Found” error page.
  3. Ok. Leave aside #1 and #2. At least the mobile app should have thrown soft errors when users try to access mobile banking from the JavaME app. Any bank would store all activity data for a certain period of time. So when you access the bank’s service from a mobile device, the server software surely knows about it, which means, the server software should have returned errors to the user instead of allowing the user to do transactions.
  4. There’s one more bug in the app itself. When you launch the app, it will prompt you to sync the data on the device to its servers for faster access the next time. When you click “OK” to synchronize, it will wait for a few minutes and show a message as, “There is no data to synchronize”. When you proceed further and try to access your info, it will again prompt you to sync the data. That’s frustrating. Either you should sync the data properly or you should access the server every time over a secure channel. As simple as that. That’s not followed too.
For me, all these things imply only thing. ICICI wants the existing users to continue using the app, thereby disobeying RBI’s orders or they are having some really bad programmers who don’t know the stuff they are doing. At a time when people fear about Google tracking their internet usage, this is MY/YOUR FINANCIAL INFORMATION, which is at risk Right?

That was a long post already 🙂 We still have some more to go. Lets take a break.

Tea Break Image Credits

Back? Ok 😀 Now, lets dissect the actual JAR file and look into the technical details of its implementation.

The Manifest File:

Rename the .JAR extension to .ZIP extension and extract it to your favourite folder. Open the “META-INF” folder and open the “MANIFEST.MF” file in a text editor. As you will note, it contains lots of very valuable information, especially the socket URLs of various mobile service providers. User agent is also very interesting. When sending HTTP requests through the application, it uses that property for setting the “user-agent” HTTP header. They also have debug strings enabled, which means by snoping around using a good file manager for your mobile, you will be able to get technical errors! thereby, letting us know how the app works itself, what requests it sends, its behaviour etc.

Another important item is, “MIDlet-Name” property in the manifest. This property determines what name the user sees after he installs the app on his mobile. Using the same name, when future upgrades are made available, the app is just replaced in place of the old one, which means, if you modify the “MIDlet-Name” property and install the app again, you will have 2 copies of the same app. THIS SHOULD NEVER BE ALLOWED FOR A HIGHLY CRITICAL FINANCIAL APPLICATION. Isn’t it? As an example, try changing the MIDlet-Name of the Yahoo! Go JAR file and try to install the app again on your mobile. My E51 shows an “Invalid JAR” error message because of MD5 sum checks etc.

Some more Holes:

Now, move back to the folder where the JAR file has been extracted. It contains a bunch of .class files. Pass it through a decompiler. You will get “perfect” java source code files. The code looks obfuscated. But its not obfuscated enough. Anybody will be able to make good sense from the source code. All the URLs, all the used strings and everything else will be clearly visible. By using the app on your mobile side-by-side, you will be easily able to go through the source code. All in all, I wouldn’t use this app anymore until the security measures are tighter.

What should the bank do here?

  1. Shouldn’t allow the installation of 2 apps of the same JAR with different names. Take this example of the Yahoo! Go JAR file.
  2. I guess these mobile providers’ socket URLs are used for a one time basis to send verification SMS. If that be the case, they shouldn’t be present in the manifest file for a variety of reasons that I won’t discuss here.
  3. There’s an interesting property named “WSCDomainName” in the manifest file. I guess it expands to “Web Service Client Domain Name”, though I’m not sure about it. Suggestion: Encrypt the name value pairs.
  4. Most importantly, sign the application using the Java Signed program. C’mon, users are doing financial transactions and a signed app will increase their confidence of using this application.

Suggestion for Users:

Users should install these kinds of apps on their mobile’s inbuilt memory, instead of the memory card. That is, when you connect your phone to the PC in thumb drive mode, all the RMS file stores for the mobile app are clearly visible. There are many decoders available on the internet that can read content from the RMS file stores. When you store this app on your mobile’s inbuilt memory, you can’t read those stores directly and there are a number of checks in place, that prevent reading it.

Thats about it !

Of course, this blog post can’t be termed as a full fledged security analysis. But most of what has been ignored by the bank are mere basics. They must have more secure systems in place.

If you liked this article, kindly do me a favour by digging it. Thanks for your time.

Posted by Aswin Anand Filed in mobile, mobility, techblog, Technology
19 Comments »

19 Responses to “Dissecting iMobile – Security Analysis of ICICI Mobile Banking App”

  1. CSK Says:
    September 28th, 2008 at 9:13 am

    Hi,

    Great analysis.

    You mentioned above that ICICI bank allows transactions (#3 under Where ICICI bank failed?). What transaction did you try? Did you transfer any funds? I am not sure if the app has this functionality, but did you change any personal information like email, phone, etc?
    As long as they restrict these things they are following the guidelines. Allowing the download does not violate the guidelines, I would guess.

    Your analysis of security is interesting but some of the items are hard to address too. For ex,
    1. is there a way to force the app to install only in phone memory?
    2. signing the app would further reduce the number of devices it is going to work on. Moreover, very few apps in the industry today are signed. mchek, ngpay & kotak’s app are not signed either. What’s the incentive for signing the app when you are looking to broaden the user base.

  2. Aswin Anand Says:
    September 28th, 2008 at 6:50 pm

    @CSK:

    Thanks for reading through the post. To answer your questions:

    I tried sending money to one of my friends from the mobile app and it worked perfectly. It didn’t show any signs of getting disabled. Most client-server applications should be controlled by the server and not vice-versa. The server should have all means to reject a request. But in this case, the server capabilities are just not being utilized to its maximum extent.

    There is no way to force an app to install in phone memory automatically. But almost all modern phones gives that option to users when they install the app. So, users can select the app to be installed in their phone memory.

    Signing the app will not reduce the number of devices. It means that the software is ready for full-fledged production use and that it has been verified by an authorized third party. In this case, its Sun Microsystems, the creators of Java ME.

    The point that very few apps are signed doesn’t mean ICICI shouldn’t sign its app. For critical apps such as these, banks should take that extra step to sign the apps.

  3. CSK Says:
    September 28th, 2008 at 9:22 pm

    It’s a surprise if ICICI allows transactions from the mobile app today. I dont know if they are violating the RBI instructions.

    Regarding signing, note that not every device supports them as they may not have the CA cert to verify the app. For example, a LG phone of my friend doesnt run any signed apps. Motorola phones require that you sign only using their cert. That’s why people provide an unsigned version of their app along with their signed version.

  4. teraom Says:
    September 28th, 2008 at 11:08 pm

    That was a brilliant analysis da, almost a complete hack i would say.
    All this should never have happened, if they did not give away the jar file.

    hope some icici bak guys are tracking this and may hire you as a security expert, sure they do need one!!

    Using mobile applications for financial stuffs may look like saving time and handy, but it poses a big threat to security itself.

    May be you should drop them an email explaining the issue, give them the solution and demand a fat check!!

    Appreciate this post da machan!

  5. Aswin Anand Says:
    September 29th, 2008 at 2:13 am

    CSK, I agree with you here. Both signed and non-signed versions should be made available. But in this case, there is *no* signed app.

  6. Aswin Anand Says:
    September 29th, 2008 at 2:16 am

    @teraom: heheh! thanks 🙂

  7. Yuvaraj Says:
    September 29th, 2008 at 12:59 pm

    Wonderful analysis machi…

    gr8 efforts….keep it up…

  8. Waves » Blog Archive » Microsoft TechVista Says:
    October 2nd, 2008 at 5:19 pm

    […] about program obfuscation and one-time programs. I could related to this talk because of my very recent experiment and paid full attention to this talk. I was smiling when one of her slides contained the last […]

  9. Kannan Kesavan Says:
    October 31st, 2008 at 6:02 pm

    Great Analysis !!!

  10. Murali Says:
    November 1st, 2008 at 6:43 am

    Oh i guess all the links are brought down now. None of the jar files can be downloaded.

    And for the record, i was an existing iMobile user, and had upgrade my WinMo firmware…

  11. Aswin Anand Says:
    November 1st, 2008 at 9:11 am

    @Kannan: Thanks for visiting my site. Please keep visiting 🙂

    @Murali: That’s cool but I haven’t checked the links though. So ICICI is listening 😀

  12. Abdulraheem Says:
    December 16th, 2008 at 1:57 pm

    http://www.mobile.icicibank.com

  13. senthil Says:
    January 20th, 2009 at 11:22 pm

    Hi there ashwin , it was a nice post ,though am not a techie guy to understand clearly what you are pointing out. I can undertand that not safe to do bank transactions on mobile phones yet in India since RBi has not clarified its rules regarding that.

    My personal choice I prefer the olden days method ( goin in person – its ur hard earned money) . I only use ATM very rarely Net banking

  14. Ramesh Says:
    April 4th, 2009 at 8:59 am

    Hi aswin
    It is very nice to read the loopholes in the IMobile applications. But I find that you had a narrow focus and failed to explain what these loopholes are supposed to harm mobile users. You were talking more about RBI rules and the need to remove the application from the ICICI site. Nothing else? Obviously you are not trying to dissuade mobile users from using this application. If this application is installed on phone memory, would there be no security breaches by hackers?

    Anyway, the reason why I have searched for info on IMobile is that when I am trying to down load Imobile onto my computer, it is giving a zip file. I was expecting a jar file so that my nokia could automatically install imobile when I copied it from my computer. If you can please explain me how to install the zip file into my nokia n95 8gb, I would greatly appreciate it.

    Recently I have downloaded HDFC Bank mobile application developed by third party. Although, it has all the features of IMoble, the interface is highly low rateed! Besides it appears to me always that there is the third party(ngpay) doing this service to me. The Imobile interface I have seen on another mobile looked extremely professional. I wish you have a look at it too.

  15. exi Says:
    June 8th, 2009 at 9:03 pm

    thanks to info, so i will try and so sukses

  16. Manoj Says:
    August 7th, 2009 at 7:08 pm

    Hi Aswin

    Its d same with me as Senthil above, am too not a computer guy. However, from whatever i could understand, the analysis sounded just superb. Anyway, macha, the imobile application now comes through a zip file and whenever i tried installing it gives a ‘corrupt file’ message. Could you please explain how to install the zip file / the latest imobile application into my Nokia E63. I would appreciate an early reply, as we are restricted from using net while in office and this application would save me lot of rounds of the bank

  17. Aswin Anand Says:
    August 8th, 2009 at 7:00 pm

    Hey Manoj,

    There are 2 ways you could do:
    a) First extract the zip file and see if there’s a jar file inside. If so, install that jar on your mobile. (or)
    b) Rename the zip file to jar. E.g. Rename abc.zip to abc.jar and try installing that on your mobile.

  18. Manoj Says:
    August 9th, 2009 at 1:31 pm

    Hi Aswin,
    Thanks for the quickest response, am not able to identify the .jar file inside nor renaming the zip filing to .jar is working. am frustrated……..

  19. sandy Says:
    March 8th, 2010 at 6:28 pm

    Hai ppl…
    I dowloaded and installed the i mobile app.
    but cant type any thing in the activation window..im using a nokika e63..
    please help…