Enhancement #22351
[3.9.16][MIB][iOS][MIB-7] Force Upgrade Bypass
Status: | Assigned | Start date: | 18 August 2025 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | Feerman Yusoff | % Done: | 100% | |
Category: | - | Spent time: | - | |
Target version: | - |
Description
Finding Summary: The mobile banking application implements a forced upgrade mechanism starting from version 3.9, designed to ensure customers use the latest app version. The backend verifies the app version submitted by the client during app launch or login. The intended workflow is:
When force upgrade is enabled (status = Yes):
● If the app version matches the current version stored in backend configuration (MIB Properties), the user may proceed.
● If the app version is missing or does not match, the user is shown a forced upgrade message.
● From version 3.9.9 onward, users are redirected to the Google Play Store or Apple App Store.
During testing, it was found that the forced upgrade mechanism can be bypassed by simply altering the appVersion parameter submitted during login. By modifying the app’s traffic to send the latest version number (as configured in MIB Properties), older, outdated, or vulnerable versions of the app can continue to operate without being forced to update.
Fixes: Implement the RSA approach same as MIB-5
- return public key in accessInfo ws
- mobile front end encrypt appVersion|transactionDate values
- add new parameter encData at loginInternetPin ws
- validate appVersion parameter for decryption
- if error, prompt error to front end
History
#1 Updated by Yeow Yui Chuang 18 days ago
- Status changed from New to Resolved
- Assignee changed from Yeow Yui Chuang to Feerman Yusoff
- % Done changed from 0 to 100
r238186 | yeowyc | 2025-08-22 03:48:09 +0000 | 2 lines
Changed paths:
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/BIBD Components/CryptoHelper/CryptoHelper.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/LoginViewController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreatePassword.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/TabBarAppAppDelegate.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/WebService.m
Enhancement #22351 MIB-7
https://dev.silverlakemobility.com/redmine/issues/22351
#2 Updated by Feerman Yusoff 11 days ago
- File BIBD MIB 2517220 Pentest App version bypass v2.0.docx added
- Status changed from Resolved to Assigned
- Assignee changed from Feerman Yusoff to Yeow Yui Chuang
- % Done changed from 100 to 50
The API document for 17220 has been updated.
A new web service will be created for the Front End (FE) to call in order to retrieve the RSA key. Instead of obtaining the RSA key from the accessInfo web service as previously defined, the new web service must be called immediately before loginInternetPin to retrieve the RSA key.
The subsequent process remains unchanged: generate the AES key, encrypt the app version, and pass it into loginInternetPin.
This change must be applied for loginInternetPin first. Additional web services will also require this change, and further details will be provided in a future updated document.
#3 Updated by Yeow Yui Chuang 11 days ago
- Assignee changed from Yeow Yui Chuang to Feerman Yusoff
- % Done changed from 50 to 100
r238215 | yeowyc | 2025-08-29 02:53:26 +0000 | 3 lines
Changed paths:
A /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/SLGlobalWsCaller.h
A /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/SLGlobalWsCaller.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp.xcodeproj/project.pbxproj
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/BIBDRegistration.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/BIBDRegistration.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/FirstScreenController.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/FirstScreenController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/ForgotPINController.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/ForgotPINController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/LoginViewController.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/LoginViewController.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/Register_Option.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/Register_Option.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreateIDPIN.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreateIDPIN.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreatePassword.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationCreatePassword.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationVerifyIdentity.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/RegistrationVerifyIdentity.m
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/TabBarAppAppDelegate.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/TermsAndConditionsMain.h
M /BIBD/BIBDFrontEnd/iOS/BIBD (old)/branches/3.9.16/TabBarApp/TermsAndConditionsMain.m
Enhancement #22351
https://dev.silverlakemobility.com/redmine/issues/22351
[3.9.16][MIB][iOS][MIB-7] Force Upgrade Bypass