Enhancement #22351: [3.9.16][MIB][iOS][MIB-7] Force Upgrade Bypass - BIBD 3.9.16 - S-MADP Customer Support & Information Center

Enhancement #22351

[3.9.16][MIB][iOS][MIB-7] Force Upgrade Bypass

Added by Feerman Yusoff about 1 month ago. Updated about 1 month ago.

Status:

Assigned

Start date:

18 August 2025

Priority:

Normal

Due date:

Assignee:

Feerman Yusoff

% Done:

100%

Category:

Spent time:

Target version:

Description

Finding Summary: The mobile banking application implements a forced upgrade mechanism starting from version 3.9, designed to ensure customers use the latest app version. The backend verifies the app version submitted by the client during app launch or login. The intended workflow is:
When force upgrade is enabled (status = Yes):
● If the app version matches the current version stored in backend configuration (MIB Properties), the user may proceed.
● If the app version is missing or does not match, the user is shown a forced upgrade message.
● From version 3.9.9 onward, users are redirected to the Google Play Store or Apple App Store.
During testing, it was found that the forced upgrade mechanism can be bypassed by simply altering the appVersion parameter submitted during login. By modifying the app’s traffic to send the latest version number (as configured in MIB Properties), older, outdated, or vulnerable versions of the app can continue to operate without being forced to update.

Fixes: Implement the RSA approach same as MIB-5
- return public key in accessInfo ws
- mobile front end encrypt appVersion|transactionDate values
- add new parameter encData at loginInternetPin ws
- validate appVersion parameter for decryption
- if error, prompt error to front end

BIBD MIB 2517220 Pentest App version bypass v2.0.docx (58.8 KB) Feerman Yusoff, 29 August 2025 10:31 AM

History

#1 Updated by Yeow Yui Chuang about 1 month ago

Status changed from New to Resolved
Assignee changed from Yeow Yui Chuang to Feerman Yusoff
% Done changed from 0 to 100

r238186 | yeowyc | 2025-08-22 03:48:09 +0000 | 2 lines
Changed paths:
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/BIBD Components/CryptoHelper/CryptoHelper.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/LoginViewController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreatePassword.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/TabBarAppAppDelegate.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/WebService.m

Enhancement #22351 MIB-7
https://dev.silverlakemobility.com/redmine/issues/22351

#2 Updated by Feerman Yusoff about 1 month ago

File BIBD MIB 2517220 Pentest App version bypass v2.0.docx added
Status changed from Resolved to Assigned
Assignee changed from Feerman Yusoff to Yeow Yui Chuang
% Done changed from 100 to 50

The API document for 17220 has been updated.

A new web service will be created for the Front End (FE) to call in order to retrieve the RSA key. Instead of obtaining the RSA key from the accessInfo web service as previously defined, the new web service must be called immediately before loginInternetPin to retrieve the RSA key.

The subsequent process remains unchanged: generate the AES key, encrypt the app version, and pass it into loginInternetPin.

This change must be applied for loginInternetPin first. Additional web services will also require this change, and further details will be provided in a future updated document.

#3 Updated by Yeow Yui Chuang about 1 month ago

Assignee changed from Yeow Yui Chuang to Feerman Yusoff
% Done changed from 50 to 100

r238215 | yeowyc | 2025-08-29 02:53:26 +0000 | 3 lines
Changed paths:
A /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/SLGlobalWsCaller.h
A /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/SLGlobalWsCaller.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp.xcodeproj/project.pbxproj
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/BIBDRegistration.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/BIBDRegistration.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/FirstScreenController.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/FirstScreenController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/ForgotPINController.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/ForgotPINController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/LoginViewController.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/LoginViewController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/Register_Option.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/Register_Option.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreateIDPIN.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreateIDPIN.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreatePassword.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreatePassword.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationVerifyIdentity.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationVerifyIdentity.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/TabBarAppAppDelegate.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/TermsAndConditionsMain.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/TermsAndConditionsMain.m

Enhancement #22351
https://dev.silverlakemobility.com/redmine/issues/22351
[3.9.16][MIB][iOS][MIB-7] Force Upgrade Bypass

Also available in: Atom PDF

BIBD (Bank Islam Brunei Darussalam) » BIBD Mobile » BIBD 3.9.16

Issues

Custom queries