App needs updating... no it doesn't


#1

Just had a bit of a panic out in the wild (Peru) when trying to pay for food with my card. Their machine timed out twice while trying to pay, so I thought I’d check the app to see if payment was taken… to be met with a screen saying that the app needs updating. with no option to ignore or clear it.

Now, I have a data connection, but data is expensive here (Peru) so I only update apps on Wifi…

So anyway, i took a gamble and paid with cash hoping money wasnt taken (it wasnt). I then get to a Wifi connection to update the app and theres no update!

Android, btw.

This really bad design guys!


#2

Hey Adam!

We had an Android update on 15 March.

We’ve found that sometimes the Play Store needs a refresh in order to correctly report whether an update is necessary.

If in doubt contact our CS team via webchat or help@starlingbank.com; we can very quickly check which version of the the app you’re running, which will help with working out what the issue may be :+1:


#3

My version is 0.38.1.4285 which is what is reported as current version in the play store.

regardless you shouldn’t block usage of the app if only one version out of date!


#4

Thanks for the feedback Adam. Account security is a priority for us, which is why the app mandates the latest version in order to run.

If you’re continuing to have issues with this, please do get in contact with CS so we can assist you further. :slightly_smiling_face:


#5

try
“Hey, your app needs updating but if you can’t do that right now you can view your account (but not make changes / transfers)”


#6

Hi @Adam24218 sorry about your experience.

I know @alexandra has responded.
This screen sometimes presents when you are on an unsecure network (a VPN, or perhaps a monitored wifi).

We will improve the copy on the screen, but because we value security, we don’t allow
any account details to display at this point.

This is why there was no update in the Play store either.

As mentioned we will improve this journey to make it clearer, but meanwhile it’s best to use a trusted network (which I know can sometimes be hard while travelling).

Enjoy Peru!


#7

Presumably you use SSL - what kind of network I am using is moot unless you know something about SSL that security experts dont; because SSL is perfectly safe over any kind of network (that’s the point of it).

however I was using the movistar mobile network; no VPN or “unsecured” wifi.


#8

Good question @Adam24218.

We are big on account and device security. Our Head of Info Security shared this with me, for a detailed response.

If the Starling app detects that the network connections between it and the Starling servers are not encrypted from end-to-end, the app does not send or receive any data until a fully end-to-end encrypted connection can be re-established - this can result in the message you saw in the app.

Some network devices, including certain types of network proxy, try to decrypt encrypted network connections passed to them before establishing a second encrypted connection to the final connection destination to pass on the original data.

This decryption and re-encryption means the data being transferred can, if desired, be read (in unencrypted form) by the owner of a network device sitting between the app and the servers.

Hope this makes sense.


#9

Good to know the app has got our backs when it comes to encryption…


#10

Well, I am sure you wont take my word for it, but i’ll say it anyway;

SSL is as safe over an unecrypted network as it is an encrypted network. It’s as safe over a VPN as it is a public network. It is designed for that purpose.

For SSL to be comprimised, certificates need to be replaced. For that to occur then either the client (i.e. my phone) or the server would need to be compromised (or a mistake). Or a MITM attack (compromised router). However; if that did occur, it is detected as part of the SSL spec and easily thwarted.

The issue arrises in browsers as users often ignore warnings that the connection is not secure.

But as you have control over that, this shouldn’t be possible.

So if you are (as you said previously) disallowing the use over VPN’s and public networks, then I ask that your security team revisit this as it does not offer any additional security.

If you are saying my phone is compromised, then that does not make any sense as the error cleared once I connected to another network; ergo it is broken.


#11

This can only occur if the client accepts a compromised “fake” certificate; this would mean your app would check it’s authenticity and have to incorrectly authenticate. This would not happen. SSL is secure, no-one is decrypting it.

In fact the only known way to “crack” SSL is to hijack a root server, which has been done once to microsoft; but your apps security measures above wouldnt protect against that.


#12

Adam that’s not actually true - proxy servers for example can unencrypt traffic, inspect it and encrypt it again before forwarding it on (various methods of doing this but normally via injecting their own certificate onto the device). As a user of that network there isn’t a huge amount you can do to prevent this - however the modification of the traffic can be easily detected by the receiver (Starling in this case) and the connection dropped and an error message presented.


#13

I had it occur on two different occassions while connected to the EE network in Essex. I went into my settings and forced a band/frequency change so it would pick up a different transmitter and the problem went away. So if you are roaming, try a different network provider.


#14

That can only happen where the client, i.e. my phone has authorised the use of the root certificates for an authority that proxy belongs.

An example of this is websense, where an organisation uses websense, the client computers need websense’s certificates installed. This cannot happen automatically.

It is not possible for an unauthorised server to decrypt SSL traffic. If it was, you could join the TOR network as a proxy and start decrypting traffic, which would effectively make TOR redundant…


#15

Not roaming, but something to keep in mind. I’d prefer if Starling didnt do this though, SSL is safe to use over any connection :slight_smile:


#16

It’s an edge case, but worth bearing in mind:

We allow users in our company to enroll their personal mobile devices in our Mobile Device Management (MDM) solution in order to get work email and access to corporate systems from their personal devices. I use it exclusively as I have a dual SIM phone and don’t like carrying two devices. Our MDM can push down CA certificates to enrolled devices, so theoretically a user could be unwittingly going through a MITM type proxy without having knowingly installed the root certificate.

However, I do think an error or warning would be better than a red herring message stating the app requires an upgrade


#17

Yeah that’s a scenario I can get with, but in that case it’s still possible to check certificates and consider the connection compromised. This is different from using a browser where as far as the browser is concerned, all is OK because you installed the certs.

Interestingly, far larger organisations, i.e. google, apple etc, do not take the measures Starling has, because SSL is safe if implemented correctly.

I’m wondering if the red herring error message is actually an attempt at security through obscurity; at some point in the apps design someone made the decision to show that error instead of a correct one.


#18

I am surprised that Starling thinks accessing the net over a VPN is insecure. I have just tried using my Android phone over my home wifi and true enough Starling does not allow a connection when I am connected over a VPN. I think a technical explanation from Starling is required as generally using the net while travelling is more secure over a VPN, that’s their purpose.