A peak inside Danske Bank iPhone app
In couriosity I have looked inside the Danske Mobilbank app for the iPho
ne, and I just wanted to share this. The first and obvious thing to do is to SSH into the phone and look inside the application folder. After having downloaded the application, I started out checking the preference folder. The only thing here interesting is the file called danskebankgroup.mobilebank.danskebank.plist, which contains some informations on which phone number to call and whether the camera is enabled or not.
Immediately after I looked inside the application folder. Nothing was really interesting here – just the NIB files, the application file and a hell lot of images. A bit weird though is that they have included ActivCardLoginController.nib along with their default NemIDLoginController.nib – however the ActivCard solution has never been in use in the application. So maybe they will enable ActivCard login in the future or maybe they have just build the functionality for use before NemID was introduced (which is the bane of public service logins in Denmark).
I then started extracting strings from the application to get more inside-look. The first thing to notice is that it is the ASIHTTPRequest from Allseeing-I. Thats definately a good choice as this is a strong and very easy-to-use framework which includes a lot of functionality for SSL and HTTP-Requests in general. Another thing is that some strings stronly indicate that Trifork made the application, which easily can be confirmed at www.trifork.com. Beside that there is a lot of class names and function calls. The most interesting is the connection calls which include keywords sucks as MagicKey and Challenge and that it seems all data connections works over JSON – nice!
The last thing to do was to sniff the application. It seems the application talks via HTTPS with mb.danskebank.dk in which mb might stand for MobilBank. If you want specific details, you might just sniff the application yourself – but its seems that the phone connects to the server to create a session at application startup. Beside initializing the session it also receives updates from the server from mb.danskebank.dk/smartphones/gmb.svc/Settings. The response looks like this (encoded in JSON)
Basically every single call in the app just calls another function afterwards. For example the login function takes your CPR number and your MobilBank number (security pin) – if correct the response back will be your security card number (the number on top of the NemID card), your name and of course the challenge to the NemID card. You can then response with the correct answer by looking at the card, and the server will then authenticate you to the originally created session.
Afterwards again, you can call different functions such as /smartphones/gmb.svc/Accounts?magicKey=(some key here) and request some information about your accounts such as account number and credit balance. You can then go to a subfolder such as /smartphones/gmb.svc/Accounts/4498071234/ where the number marked with bold is your account number and request a transition overview.
Generally the application seems very easily built – the hard and the strong part is the SSL encryption for everything and the MagicKey thing. This MagicKey is sent and received in every single request and is a string which is very likely to be encoded in Base64 – however the algorithms of how this MagicKey is changed and set at every request I have not yet looked into.
If you are interested and wants to try your luck by going the application through in assembly, you can just download the app for free at AppStore, look into some reverse engineering and please report your progress to me