Overview

For sensitive applications like banking apps, OWASP MASVSintroduces “Defense in Depth” ver- ification levels. The critical operations (e.g., user enrolment and account recovery) of such ap- plications are some of the most attractive targets to attackers. This requires implementation of advanced security controls, such as additional channels to confirm user actions without relying on SMS or email.

Note that using SMS as an additional factor for critical operations is not recommended. Attacks like SIM swap scams were used in many cases to attack Instagram accounts, cryptocurrency exchanges and of course financial institutions to bypass SMS verification. SIM swapping is a legitimate service offered by many carriers to switch your mobile number to a new SIM card. If an attacker manages to either convince the carrier or recruits retail workers at mobile shops to do a SIM swap, the mobile number will be transferred to a SIM the attacker owns. As a result of this, the attacker will be able to receive all SMS and voice calls without the victim knowing it.

There are different ways toprotect your SIM card, but this level of security maturity and awareness cannot be expected from a normal user and is also not enforced by the carriers.

Also the usage of emails shouldn’t be considered as a secure communication channel. Encrypting emails is usually not offered by service providers and even when available not used by the average

user, therefore the confidentiality of data when using emails cannot be guaranteed. Spoofing, (spear|dynamite) phishing and spamming are additional ways to trick users by abusing emails.

Therefore other secure communication channels should be considered besides SMS and email.

Static Analysis

Review the code and identify the parts that refer to critical operations. Make sure that additional channels are used for such operations. The following are examples of additional verification chan- nels:

• Token (e.g., RSA token, YubiKey),

• Push notification (e.g., Google Prompt),

• Data from another website you have visited or scanned (e.g. QR code) or

• Data from a physical letter or physical entry point (e.g., data you receive only after signing a document at a bank).

Make sure that critical operations enforce the use of at least one additional channel to confirm user actions. These channels must not be bypassed when executing critical operations. If you’re going to implement an additional factor to verify the user’s identity, consider also one-time passcodes (OTP) via Google Authenticator.

Dynamic Analysis

Identify all of the tested application’s critical operations (e.g., user enrollment, account recovery, and financial transactions). Ensure that each critical operation requires at least one additional verification channel. Make sure that directly calling the function doesn’t bypass the usage of these channels.

References

OWASP MASVS

• MSTG-NETWORK-1: “Data is encrypted on the network using TLS. The secure channel is used consistently throughout the app.”

• MSTG-NETWORK-2: “The TLS settings are in line with current best practices, or as close as possible if the mobile operating system does not support the recommended standards.”

• MSTG-NETWORK-5: “The app doesn’t rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery.”

Android

• Android supported Cipher suites -https://developer.android.com/reference/javax/net/ssl/SS LSocket#Cipher%20suites

• Android documentation: Android 10 Changes - https://developer.android.com/about/versio ns/10/behavior-changes-all

iOS

• iOS supported Cipher suites -https://developer.apple.com/documentation/security/1550981- ssl_cipher_suite_values?language=objc

IANA Transport Layer Security (TLS) Parameters

• TLS Cipher Suites -https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

#tls-parameters-4

OWASP TLS Cipher String Cheat Sheet

• Recommendations for a cipher string -https://github.com/OWASP/CheatSheetSeries/blob/m aster/cheatsheets/TLS_Cipher_String_Cheat_Sheet.md

SIM Swapping attacks

• The SIM Hijackers - https://motherboard.vice.com/en_us/article/vbqax3/hackers- sim- swapping-steal-phone-numbers-instagram-bitcoin

• SIM swapping: how the mobile security feature can lead to a hacked bank account - https:

//www.fintechnews.org/sim-swapping-how-the-mobile-security-feature-can-lead-to-a- hacked-bank-account/

NIST

• FIPS PUB 186 - Digital Signature Standard (DSS)

SIM Swap Fraud

• https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone- numbers-instagram-bitcoin

• How to protect yourself against a SIM swap attack -https://www.wired.com/story/sim-swap- attack-defend-phone/

IETF

• RFC 6176 -https://tools.ietf.org/html/rfc6176

• RFC 6101 -https://tools.ietf.org/html/rfc6101

• RFC 2246 -https://www.ietf.org/rfc/rfc2246

• RFC 4346 -https://tools.ietf.org/html/rfc4346

• RFC 5246 -https://tools.ietf.org/html/rfc5246

• RFC 8446 -https://tools.ietf.org/html/rfc8446

• RFC 6979 -https://tools.ietf.org/html/rfc6979

• RFC 8017 -https://tools.ietf.org/html/rfc8017

• RFC 2631 -https://tools.ietf.org/html/rfc2631

• RFC 7919 -https://tools.ietf.org/html/rfc7919

• RFC 4492 -https://tools.ietf.org/html/rfc4492

• RFC 4279 -https://tools.ietf.org/html/rfc4279

• RFC 2631 -https://tools.ietf.org/html/rfc2631

• RFC 8422 -https://tools.ietf.org/html/rfc8422

• RFC 5489 -https://tools.ietf.org/html/rfc5489

• RFC 4772 -https://tools.ietf.org/html/rfc4772

• RFC 1829 -https://tools.ietf.org/html/rfc1829

• RFC 2420 -https://tools.ietf.org/html/rfc2420

• RFC 3268 -https://tools.ietf.org/html/rfc3268

• RFC 5288 -https://tools.ietf.org/html/rfc5288

• RFC 7465 -https://tools.ietf.org/html/rfc7465

• RFC 7905 -https://tools.ietf.org/html/rfc7905

• RFC 7539 -https://tools.ietf.org/html/rfc7539

• RFC 6151 -https://tools.ietf.org/html/rfc6151

• RFC 6234 -https://tools.ietf.org/html/rfc6234

• RFC 8447 -https://tools.ietf.org/html/rfc8447#section-8