[tor-talk] Tesco's mobile banking app refuses to run on handsets where the Tor app is also installed

Ben ben at gerbil.it
Sat Jun 18 22:21:37 UTC 2016


All in the name of security apparently.

Their approach to security on their site, on the other hand, is to
simply slap a cert on it and not bother with HSTS, HPKP or DANE. They've
not even bothered with DNSSEC, and from the comments on that article
don't seem to care if your connection transits the Tor network so long
as it's via something on the network rather than a locally installed
app.

The app at least verifies the certificate it's presented, but relies on
the devices trust store, so if you can get a certificate from any of the
_many_ CAs a handset trusts MiTM is as simple as redirecting DNS to your server and telling Nginx to listen or port 443, proxy to localhost 80 and then to proxy upstream on 443

And with a quick TCPDump you can start extracting credentials and other
exciting things

GET /broker/api/users/ids/7654321duh HTTP/1.0
Host: mob.tescobank.com
Connection: close
X-ClientAppVersion: 1.7.0
X-AvlHeight: 1920
X-InternalIP: 10.0.0.9
X-DeviceID: [Redacted]
X-Timezone: Greenwich Mean Time
X-Language: English
X-Jailbroken: N
X-FullWidth: 1080
X-Mac: [redacted MAC address]
X-OSName: Android
X-Credential: MobWord
X-AvlWidth: 1080
X-FullHeight: 1920
X-OSVersion: 4.4.2
X-DeviceType: GT-I9505
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.4.2; GT-I9505
Build/KOT49H)
Accept-Encoding: gzip

Almost like have Orbot installed isn't their biggest
problem.............

Also, the check for whether a device is rooted is obviously faulty - the
phone I tested from is very definitely rooted. DNS for mob.tescobank.com
resolving to an IP on the same subnet as my phone should probably be a
concern too.

Given they know who issues their certificates, perhaps they should focus
more on tightening their own security that dropping in checks for other
apps (seems it objects to a number of packet sniffer apps too)


More information about the tor-talk mailing list