The Ecocash Droid app and m-banking security

David Gate Avatar

ecocash-logo2

I have followed with interest the discussion on the ingenious Ecocash Droid app and how it was swiftly disabled by Econet. I was quite frankly amazed by some of the vitriol that was spewed at Econet by some disgruntled commenters. Though I applaud Gedion for taking initiative and coming up with a way to ease the pains of USSD, I must also point out that security should trump convenience, especially when you’re dealing with people’s money.

For starters, even though the developer states that the app does not store a user’s pin, we cannot know with certainty that it doesn’t. I’m not saying it is, but for what we know, this simple disclosure may actually be a nifty social engineering trick to get users to drop their guard and willingly provide their pin codes. Anyway, let’s assume the app does indeed store the user’s pin and mobile number. This is a major security breach, well, half the story at least. Many of us assume, wrongly of course, that even with these details, a person with malicious intent cannot do much harm without actual physical access to the mobile device. How wrong we would be!

There’s something that’s known as a Remote USSD Exploit that some Android devices have been shown to be vulnerable to. There is a YouTube clip featuring Ravi Borgaonkar where he demonstrates how you can remotely execute USSD code on a Samsung Galaxy S3. The execution of the USSD can be triggered through a variety of means including SMS, the web browser, QR codes, NFC etc. in the demo, Ravi basically performs a USSD factory reset on the Samsung S3 without any user interaction. This little exploit shows us that it is possible to manipulate a phone’s USSD remotely without the participation of the user. And in this, we have the second part of the puzzle!

Now, assuming our malicious user is in possession of your mobile number and your PIN code, and you have a phone that is vulnerable to the remote USSD exploit; what’s to stop him from wiping all the money in your account and sending it to some unregistered number somewhere?

In this article, I sought to demonstrate some of the security vulnerabilities that we may many times overlook if we focus only on the convenience aspect of technology, without due care on the security side.

By the way, to test if your Android device executes a USSD code without dialing, you can do it here.

,

29 comments

  1. Marshall Mahachi

    nice article….. just imagine if this guy captures our ecocash pins and then develops ka script which randomly withdraws money from user accounts… or more subtly anongowedzera $1 for every transaction..you would actually think kuti its part of the ecocash charges …. its just best to wait for the official app from econet.

    1. Security Expert

      That would be super easy to trace… if $1 goes to some account and the other money to your desired account, you will receive two notifications from econet telling you where your money went… enough to raise suspicions already… and should make you call econet at once!!! And since no-one can take money without an ID Card, whoever took that money would be super easy to catch…

  2. SecurityConsultant

    But this is like saying what if a person has your bank card and your pin type of situation. there is no ultimate solution. you make sure you keep your Pin safe then. do we stop using bank cards because there is that vulnerability? Do banks close down third party (Visa) payment channels because they can hold your pin. do we even know how the third parties like visa, mastercard, zimswitch deal with our bank cards.?

    1. Guest

      you clearly dont think like a SecurityConsultant. the difference is a bank card is a physical thing that is not connected to anything for as long as it is in your pocket. there is no way u can manipulate it to send money to another’s account. UNFORTUNATELY with this droid app, its possible. Given that this Gedion has shown prowess over USSD, how do you know this app has no exploit where it runs a malicious code to send money at a given time eg 12 mdnight everyday

      1. Kufunga

        Mdara guest, Secutity constultant is right, banks give people visa cards which some use to pay on different websites, there are no banks which close down third party (Visa) payment channels because they can hold your pin, you make your on decision so should we, if i want to use the app ndikazovharwa cash its my fault not for econet to decide for us, u simply put a disclaimer use third party apps at your own risk

        1. mhofu

          i think we are oversimplifying things a bit here Kufunga….ngatiti iwe wabirwa kawaya($100) kako izvezvi nhasi uno nekuda kwetransaction you did thru this droid…who are you going to confrnt….? a very simple question whc econet knew wl be a problem…coz u will go kueconet kunoclaimer yo money haumboende to this guy…munenge makuti hee econet security yenyu yakadakwa wat wat..bt nw tht they are trying to safeguard it you blame them again…people hamuna chakanak chokwadi…

          1. Murovi

            Its easy, every time you do a transaction on EcoCash you receive an sms message telling you where your money went and what your new balance is. So it would be pretty stupid for anyone to try to steal your money on ecocash because ultimately, the line will be traced and you can report the incident immediately to EcoCash… I think we need to be willing to take some risk in order for our country to develop, no risk, no gain…

      2. Guest

        You clearly don’t think like an Online Bank Card user…. that physical plastic card is useless, all someone needs is your PAN (your card number) and the expiration date. If a website stores that information or if anyone steals that information from you, they can do whatever they want with it…

    2. Tsikidzi

      Visa, Mastercard always roll out connectivity using trusted accredited parties, typically banks. They terminals in retail shops belong to the bank – the trusted party. If you can download any mobile payments app or bank app from the Internet, not from your bank or carrier -it’s like a lamb playing around with a lion’s cub, the cub’s mother will ensure the godsend lunch is speedily consumed.

  3. Gweja

    Good info, but i am disappointed that you base your whole story an an ASSUMPTION. Seriously??? What happened to 2 sides of the coin. If you wanted to tell the world about the USSD vulnerabilities, you could have done so without attacking this good app.

    1. David Shingirai Gate

      I would think it better to base it on an assumption and prove a potential vulnerability than to actually wait for someone to lose their money first.

      And these are all perfectly reasonable assumptions by the way.

      1. Gweja

        There was really no need to assume. You could have contacted the developer for clarification before trolling down the road. Good info though on your article, which I suggest should have been titled differently. something like “Remote USSD Exploits on Android Smartphones” or something similar.

        Lets stop this business of killing budding developers. Lets encourage them and make then try harder everyday. This is the difference between Americans and Africans. Ever seen how Americans support each other even on things we consider a waste of time? Just imagine if Facebook had been started in Zimbabwe, would it have been as successful as it is today? Definitely NO. Our “analysis paralysis” culture would have killed it before it was even 1 year old.

        Give the boy the support he needs. TZ, why not invite the boy for an interview so we know more about him and his works.

        1. David Shingirai Gate

          Ok, Gweja, I understand where you’re coming from. But let’s assume (there I go again with my assumptions, but let’s do)…let’s assume I went to him and asked him about the security of his app and he told me everything was peachy. Would it have been prudent of me to take his word for it and not try to dig out “potential” vulnerabilities in that approach to solving the USSD pains. In the security field, that’s a definite no-no.

          By the way, I never meant the article as a troll on the app. I did actually commend the developer for taking initiative

          1. Gweja

            Assume, assume, assume. LOL

            Good article buddy, but i think you should come out of the closet and write more and share on this subject, you seem to know more about this. Don’t wait for another droid app!

            1. mhofu

              i see nothng wrng about the assumptions he mde on ths article tho….ASSUME again i develop an app which can tap into some local bank’s accounts which enable customers to access their acccounts , withdraw and etc….wthout the permsiion f the bank….wld they reallly let m be whn i am playing arnd wt the safety of deepositor’s funds….this developer dd a great job by cmng up wt ths app..bt h shld have gone to econet wt t and sell in to them rather thn jus start using t and giving peopl access to t without the knowledge of econet… coz wat matters most and first is depositer’s funds over some developmnt..we want developments bt those 3 tht leave us vulnerable dnt thnk any1 wld want t…..

          2. JustSaying

            So you would rather kill a useful technology risk what might not happen….

      2. Gues

        Your assumptions are really valid but save only to threaten people from using an otherwise useful technology. Having been one of the lucky people to test the application whilst it was still working, I have to say its a much needed technology. If anyone uses the application to loot money to a particular number, it would only be a matter of time before they are caught because no one is allowed to take money from Ecocash without a valid ID card. I think the risks were lower than the benefits

    2. tinm@n

      You don’t get it.The premise of security IS ASSUMPTIONS! We group them in what is technically called Risks.

      We assume the developer is potentially malicious. If malicious what can he/she do with unknown or hidden code? What is valuable from the user that can be taken using hidden code IF the developer were malicious?

      Theft,misuse or harvesting of PINs.

      This is not to say he is malicious.This is to manage the risk or eliminate the threat if it were.

      You do know you can have your code do one thing behind the scenes whilst serving a said function….right?

      Hope that made sense.

  4. Nerudo Mregi

    You make very brilliant and valid points. I do not have an issue with them disabling the feature I have an issue with them not providing the secure solutions and not letting the developer community at least thrive in making use of their ready set infrastructure.

    1. tiki

      *151*1*0778xxx* amount works -cool

  5. Tichaona Miti

    Thanks … this shows the advancement of our understanding of technology/code

  6. Siege S Musonza

    Solution – Econet should just buy the app from the developer.

  7. lastborn

    maybe not the right platform, but I have a concern. With the recruitment processes at most companies in Zimbabwe, econet, old mutual et al. Most of them do not have a careers portal (econet) for those that do have ,24/7 365 they will never advertise a job (Old Mutual). This I think opens room to neportism and under hand deals. One of the many benefits of a careers/recruitment portal in-house or external is transparency. For all we know people get hired at all these companies yet we never here of the adverts. Not cool. By the way nice article David Shingirai Gate, it explores the one side of the coin I wouldn’t want to flip.

    1. tinm@n

      Join the churches they commonly go to.Minister there. Be good. Pray hard. Sharpen your skills in your area of expertise. Be noticed by the econet manager who’s there. Seek audience with him/her/them…Who knows you may kill two birds with one stone: straighten your morals and get a job.

      As for me, didn’t have the time or commitment. Applied twice where I knew I deserved at least a first interview. But did I?Nope…. had some interesting ideas to try out and fail on…so left it but somewhere along the line I was told either I knew someone or somewhat fit their mould. That’s if I wasn’t exceptionally good connected or of loose morals.

      Good luck!

      1. lastborn

        sounds like an idea..will try it 🙂

  8. Malvern Dongeni

    this app is a brilliant idea..it only needs little improvements on the following fields
    1.International mobile identity(IMEI) code -this code can be used for authentication process within the transaction database(authentication process depending on this can stop remote USSD).
    2.understanding of transaction call flows(its another way to authenticate and prevent remote USSD gives user a total control of the app).
    3.The system should not use installed database that is it should use remote database(installed database within android app as easy to manipulate and to play around).

  9. Mobility Zimbabwe

    I think this article is just out for the small guy. There is no need to make assumptions here. The article fails to point out certain bare minimum requirements that the app would need to to divulge your pin, which is access to EXTERNAL communications.

    This app has only 2 permissions it needs to operate:
    android.permission.READ_CONTACTS
    android.permission.CALL_PHONE

    Any Google Play user can easily confirm that.

    It cannot send SMSes, it can’t access the Internet, so the question now stands: In possession of your pin, how and where will the application leak it into the wild? In this scenario, it’s like a prisoner with the key to your safe, it doesn’t help them much.

    The remote USSD attack itself requires some user interaction involving the user clicking a malicious link (on a webpage). This further reduces the chances of an attack on an EcoCash account, as this link has to be matched to the exact device carrying the EcoCash account. What are the chances of that in reality? In reality there is a higher likelihood of you getting mugged, getting your phone taken and coerced to reveal your EcoCash pin, than there ever would be of this app stealing your money.

    Why is there no speculation about what local VISA or Mastercard payment gateways may do with our debit/credit card details. And of all the types of speculation, why does it have to be negative.

    Don’t sweat the small guy…

  10. Mobility Zimbabwe

    I think this article is just out for the small guy. There is no need
    to make assumptions here. The article fails to point out certain bare
    minimum requirements that the app would need to to divulge your pin,
    which is access to EXTERNAL communications.

    This app has only 2 permissions it needs to operate:
    android.permission.READ_CONTACTS
    android.permission.CALL_PHONE

    Any Google Play user can easily confirm that.

    It cannot send SMSes, it can’t access the Internet, so the question
    now stands: In possession of your pin, how and where will the
    application leak it into the wild? In this scenario, it’s like a
    prisoner with the key to your safe, it doesn’t help them much.

    The remote USSD attack itself requires some user interaction
    involving the user clicking a malicious link (on a webpage). This
    further reduces the chances of an attack on an EcoCash account, as this
    link has to be matched to the exact device carrying the EcoCash account.
    What are the chances of that in reality? In reality there is a higher
    likelihood of you getting mugged, getting your phone taken and coerced
    to reveal your EcoCash pin, than there ever would be of this app
    stealing your money.

    Why is there no speculation about what local VISA or Mastercard
    payment gateways may do with our debit/credit card details. And of all
    the types of speculation, why does it have to be negative.

    Don’t sweat the small guy…

    1. ranger

      this is a good response, sounds like you know what you are talking about

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed