CVE-2017-9591 in Mobile App
Summary
by MITRE
The "PCB Mobile" by Phelps County Bank app 3.0.2 -- aka pcb-mobile/id436891295 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/18/2019
The vulnerability identified as CVE-2017-9591 affects the PCB Mobile banking application version 3.0.2 for iOS devices, specifically when distributed through the App Store under the identifier pcb-mobile/id436891295. This represents a critical security flaw in the mobile banking application's implementation of secure communication protocols, where the application fails to properly validate the authenticity of SSL/TLS certificates presented by servers during encrypted connections. The absence of X.509 certificate verification creates a significant attack surface that undermines the fundamental security principles of encrypted communication between mobile banking clients and backend servers. This vulnerability directly impacts the integrity and confidentiality guarantees that users expect when conducting financial transactions through mobile banking platforms.
The technical flaw manifests as a failure in the certificate validation mechanism within the mobile application's secure socket layer implementation. When the PCB Mobile application establishes connections to backend servers, it does not perform the necessary checks to verify that the presented SSL certificates are properly signed by trusted certificate authorities and match the expected server identity. This omission allows attackers to deploy malicious man-in-the-middle attacks by presenting forged certificates that appear legitimate to the vulnerable application. The flaw essentially disables the certificate pinning mechanism that should protect against certificate substitution attacks, leaving users exposed to various forms of cryptographic attacks that compromise the security of their banking sessions.
The operational impact of this vulnerability extends beyond simple data interception, as it enables sophisticated attackers to conduct comprehensive surveillance and data exfiltration operations against mobile banking users. An attacker positioned between the user's device and the banking server can transparently intercept and modify all communications, potentially obtaining sensitive user credentials, account information, transaction details, and other confidential financial data. This vulnerability is particularly dangerous in mobile environments where users may connect to unsecured public networks, making the attack surface even more expansive. The flaw undermines the trust model that mobile banking applications rely upon, potentially allowing attackers to impersonate legitimate banking services and conduct fraudulent transactions.
This vulnerability aligns with CWE-295 which specifically addresses "Improper Certificate Validation" and represents a failure in the proper implementation of security controls as outlined in the OWASP Mobile Security Project's M3 category focusing on insecure communication channels. The attack vector is consistent with ATT&CK technique T1046 for network service scanning and T1566 for spearphishing with a specific focus on credential access through man-in-the-middle attacks. Organizations should implement certificate pinning mechanisms, ensure proper certificate validation procedures, and conduct regular security assessments of mobile applications to prevent such vulnerabilities from compromising user data and financial security. The remediation requires the application to properly validate X.509 certificates against trusted certificate authorities and implement proper certificate chain validation to prevent attackers from exploiting this critical security flaw.