Enhancement #22349
[3.9.16][MIB][Android][MIB-7] Force Upgrade Bypass
| Status: | New | Start date: | 18 August 2025 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | Abdul Halim Baharom | % Done: | 0% | |
| Category: | - | Spent time: | - | |
| Target version: | - |
Description
Finding Summary: The mobile banking application implements a forced upgrade mechanism starting from version 3.9, designed to ensure customers use the latest app version. The backend verifies the app version submitted by the client during app launch or login. The intended workflow is:
When force upgrade is enabled (status = Yes):
● If the app version matches the current version stored in backend configuration (MIB Properties), the user may proceed.
● If the app version is missing or does not match, the user is shown a forced upgrade message.
● From version 3.9.9 onward, users are redirected to the Google Play Store or Apple App Store.
During testing, it was found that the forced upgrade mechanism can be bypassed by simply altering the appVersion parameter submitted during login. By modifying the app’s traffic to send the latest version number (as configured in MIB Properties), older, outdated, or vulnerable versions of the app can continue to operate without being forced to update.
Fixes: Implement the RSA approach same as MIB-5
- return public key in accessInfo ws
- mobile front end encrypt appVersion|transactionDate values
- add new parameter encData at loginInternetPin ws
- validate appVersion parameter for decryption
- if error, prompt error to front end