Mobile Apps and Using SSL (HTTPS)

mobile SSL

When working with money online, it’s important to make sure all your data is safe, even when you’re talking about a digital cryptocurrency like Bitcoin. Earlier this month, Naked Security had an article about a bug in the Coinbase app for Android smartphones and tablets that caused a bit of a scare in some people.

Bryan Stern, a security researcher, went public with knowledge about the flaw in the way the app handles SSL connections in his GitHub blog on 27 June 2014. Previous to that post, he had gone back and forth with Coinbase, who said the flaw wasn’t really serious. Stern wrote:

With a compromised SSL connection, an attacker could gain full control of a user’s account by stealing their access token. An attacker could also intercept a request to send bitcoins and change both the amount and destination address.

While the Android app from Coinbase does in fact check the TLS certificate presented when it connects to a Coinbase server and makes sure it is signed by a recognized Certificate Authority (CA), Stern doesn’t think this is enough. Other financial apps that use HTTPS clients usually take extra steps to cross-check the TLS certificates, adding another layer of security.

Andreas Antonopoulos and others from Bitcoin have independently audited Coinbase’s security and solvency, and the app is now available to users around the world. Coinbase has been trying to walk the line between security and convenience for users, and some think they are doing an okay job with the perilous task.

All of this leads to a question – are all financial apps secure? Back in January of this year,  Ariel Sanchez from IOActive looked at 40 different iOS banking apps. The research found that around 40% of the apps connected via HTTPS without validating the certificates at all. As you know, this is a huge security risk on the modern internet.

And going back to Coinbase, there are still other concerns not strictly related to SSL/TLS. One of the biggest issues is that private keys are kept by Coinbase and not given to the user. “What I Have Learned From Having Coins On Mtgox: If you, and you alone, don’t own the private keys, you don’t own the coins,” said Introshine online according to an article in CryptoCoinsNews.

Here are some security tips to keep in mind before you install one on your mobile device.

  • Don’t use mobile apps for financial transactions unless you know they’re entirely safe
  • Use a protected desktop computer or laptop with a mainstream browser to do your banking
  • If you do use mobile banking apps, make sure you connect with a VPN for added security and peace of mind

Following the advice above will help keep you safe. While Coinbase and others have security on their mind when they’re releasing mobile apps, it’s important to make sure you take steps yourself to protect your financial data online.