The security of open banking systems has been questioned after a security researcher demonstrated her 100 per cent success in hacking a range of mobile apps that suffered similar flaws in the security of their application programming interfaces (APIs).

Those APIs – which provide standardised ways of linking cloud and mobile applications – proved easy to manipulate for security researcher Alissa Knight, who recently revealed that she had been able to decrypt API traffic, extract customer information, change PIN codes, and transfer money to and from the accounts of users of 55 different banking apps.

Sponsored by security firm Noname Security, her research uncovered a range of insecure design issues – including hardcoded API keys and tokens, as well as user names and passwords for accessing third-party services – that had provided ammunition for a range of serious compromises.

All of the 55 apps she tested were vulnerable to woman-in-the-middle (WITM) attacks, in which Knight was able to intercept traffic between mobile apps and the hosting bank.

All of the apps also contained broken object level authorisation and broken authentication vulnerabilities, allowing her to perform requests on other bank accounts without the bank’s systems verifying her identity again.

Those issues are two of the well-known OWASP API Security Top 10 – commonly found in poorly designed API interfaces – and Knight believes their ubiquity stems from the fact that the banks generally outsourced their application development to a few firms that reuse much of their base code.

“APIs have become the plumbing for our entire connected world,” she explained, “but many financial services and fintech services have opted not to develop their apps internally.

“These third parties are reusing the same vulnerable code.”

Given the increasing use of mobile apps as a primary interface to banks, Knight said, the use of insecure APIs posed a “clear and present danger in our financial system”.

“It’s clear that authentication and authorisation are very much broken,” she said, and that “there is no ‘trust but verify’ happening with these third-party developers.”

Broader implications for online services

As the highways for data exchange in modern apps, APIs play a critical role in ensuring that only authorised users can access online services and extract data from those services.

Poorly written code is already causing major problems for developers: one recent report found that 91 per cent of enterprise professionals experienced an API security incident last year, while Gartner has predicted that by next year API abuse will be the most common attack security teams have to deal with.

Medicare recently learned the importance of API security the hard way, after Sydney software engineer Richard Nelson demonstrated how he could use a man-in-the-middle attack to feed any information he wanted into the Express Plus Medicare app.

Eliminating these and other vulnerabilities will be crucial as the government pushes an increasing number of everyday services into its MyGov platform, which is being redeveloped under a $200m government investment that is expected to produce a new app by December.

MyGov is being positioned as a gateway to a range of other government services, relying heavily on APIs to provide secure, authenticated access to prevent data theft or manipulation of the services – including its secure ‘wallet’ for storing verifiable credentials such as citizens’ international COVID-19 digital certificates.

For an agency that manages over 100 different types of payments and supports over 21 million myGov accounts, the scale of the application development has been significant.

“Transformation of this scale requires a focus on the total customer experience,” Charles McHardie, deputy CEO of transformation projects with Services Australia, said at Gartner’s recent IT Symposium as he recounted the pandemic-driven “unprecedented demand” that had seen over 1 million people logging into myGov every day.

“We are transforming our payments and services so government interactions are simple,” he said, noting that Services Australia had been adding security layers with technologies like voice biometrics.

Yet if Knight’s research is any indication, back-end API security will be even more important in ensuring the new platform is as robust and secure as it needs to be – and the mobile app will be a key determinant.

“APIs are often hidden within mobile apps, leading to the belief that they are immune to manipulation,” Steve Ragan, security researcher with security firm Akamai, noted in releasing a new study of API security that noted “frustrating patterns of API vulnerabilities” often saw API security “relegated to an afterthought in the rush to bring [apps] to market.”

“API attacks are both underdetected and underreported when detected,” he said, noting that “attacks on APIs don’t receive the same level of attention, in large part because criminals use APIs in ways that lack the splash of a well-executed ransomware attack – but that doesn’t mean they should be ignored.”