Indian Bank IndSMART Android App Missing SSL Certificate Validation Vulnerability

A vulnerability exists in the Indian Bank IndSMART Android App version 3.8.1, specifically within the NuWebViewActivity. The issue arises from improper SSL certificate validation, allowing potential Man-in-the-Middle (MITM) attacks. The WebView in this activity, which handles sensitive processes like login and payments, does not properly manage SSL errors or validate URLs before loading them. This could enable an attacker to intercept or modify critical user information.

Impact

Exploitation of this vulnerability could lead to interception of login credentials, One-Time Passwords (OTPs), and unauthorized transactions by manipulating data within the WebView.

Reproduction

The vulnerability can be reproduced by loading a URL into the WebView from an unvalidated Intent source while JavaScript is enabled. This can be done by sending an Intent to the application with a URL that the WebView will load, taking advantage of the missing SSL certificate validation to intercept or alter sensitive information.

Remediation

To address this vulnerability, Indian Bank should implement strict SSL/TLS validation in the WebView, ensuring that all certificates are valid and trusted before establishing a connection. Additionally, sensitive flows such as login and payments should be routed through secure browser tabs or system browsers that enforce proper SSL validation, rather than being handled within the app's WebView.