CVE-2016-1210 in Bank App
Summary
by MITRE
The 105 BANK app 1.0 and 1.1 for Android and 1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/19/2020
The vulnerability identified as CVE-2016-1210 affects the 105 BANK mobile application across both android and ios platforms, specifically versions 1.0 and 1.1 for android and version 1.0 for ios. This represents a critical security flaw in the application's implementation of secure communication protocols, as it fails to properly validate ssl/tls certificates during network connections. The absence of proper certificate verification creates a significant attack vector that undermines the fundamental security assurances that secure communication protocols are designed to provide. This flaw directly violates established security principles for mobile banking applications where data integrity and authentication are paramount.
The technical implementation flaw stems from the application's failure to perform proper certificate chain validation and hostname verification during ssl handshakes. When an application does not verify x509 certificates, it essentially trusts any certificate presented by a server without ensuring that the certificate is legitimate, properly issued by a trusted authority, and correctly associated with the server being connected to. This vulnerability aligns with CWE-295 which specifically addresses improper certificate validation in secure communications. The flaw allows attackers to perform man-in-the-middle attacks by presenting fraudulent certificates that appear legitimate to the vulnerable application, effectively breaking the ssl/tls encryption layer that should protect sensitive financial data transmission.
The operational impact of this vulnerability is severe for both end users and the financial institution. Mobile banking applications handle highly sensitive information including account numbers, transaction details, authentication credentials, and personal financial data. An attacker exploiting this vulnerability could intercept and modify communications between the mobile application and the bank's servers, potentially gaining access to user accounts, initiating unauthorized transactions, or capturing authentication tokens. This represents a direct threat to the confidentiality and integrity of financial data as outlined in the attack pattern taxonomy under attack technique T1046 for network service scanning and T1566 for credential harvesting through man-in-the-middle attacks.
The security implications extend beyond immediate data theft to include potential long-term damage to user trust and institutional reputation. Financial institutions that deploy vulnerable mobile applications expose themselves to regulatory compliance violations under standards such as pci dss and soc 2, which mandate proper implementation of secure communication protocols. The vulnerability also demonstrates poor security development lifecycle practices, as proper certificate validation should be implemented as a fundamental security control during application development rather than being overlooked in production code. Organizations should implement comprehensive security testing including penetration testing and code reviews to identify such flaws before deployment, and should follow secure coding practices as recommended in owasp mobile security project guidelines for mobile application security.