This page enumerates known issues from a technical perspective.
It has two main parts, features and security. At the end is also a list of known bugs connected to the EPFS testing scope.
Devices
The app should be tested on:
Android 8+
iOS 14+
BOFE: Safari latest
Bank personnel
The onboarding process contains a step where VideoKYC is necessary on some occasions. The VideoKYC process itself requires an agent to process it. So for a successful pass of the onboarding process, there has to be someone performing the role of VideoKYC agent.
VideoKYC is not triggered every time in onboarding, but it is each time OSP recognizes the need - e.g., when the same phone number is used the second time.
Features
Blockers
All blockers are resolved.
Limitations
Sign in on new device (not unlock)
The application doesn’t have implemented logging in on new device.
Unlocking the application works.
Sign in on new device is not part of EPFS neither MVP scope.
This means that for customers, you can access it only from the device they were onboarded on, and after losing data (reinstalling, flushing application data), it is not able to get back in
if you turn off the application and turn it back on, you can unlock it by the pin
Not implemented:
Logging in with a different user on the same device.
Logging in with my user on a different device.
Logout to make the app available for logging in with different user.
There is/was workaround, which is a security hole, during testing. It will be disabled during EPFS testing.
Bank statement generation timing
Statements are generated on the edge of the month - if you want to test it, please, coordinate with Maria Capaldo D'Amato to generate it outside of this timeframe.
Interest counting
Interest is accounted at the end of the month, if this needs to be tested, please, coordinate with Viliam Dillinger
Risks
SMS testing accounts
Infobip and macrokiosk still on testing account - limit can be depleated anytime, this can cause issues in testing that onboarding won’t work because of not delivered SMSs we can only anticipate.
Issues
Async pockets (minor)
Actions in pockets are mostly asynchronous and FE is not ready for that - effect of some actions (closing, locking, editing, creating) is seen after few seconds, but the user is not notified about this (no loader).
Privacy (minor)
We don't have any restrictions on PII in logs - there are logs that contain Personal Identifiable Information, as we didn't have it in EPFS requirements.
Security
There are some security issues we are aware of.
Application related
Weak passwords
We use device-only passcodes, which are not strong (6 digits passcodes). Stored only locally on the device so can unlock app only on that device where created.
Login Bypass - will be removed 2022-10-21 20:00 CET
There is login bypass in the application, which should be turned off during VAPT, and will be turned off in the production.
Reused signatures
Request signatures does not use the HTTP method and path so a signature can be reused at a different endpoint if the body is the same (and the customer ID, credential ID is the same).
Webhooks without authentication
We currently have webhooks from AAI not secured - no token passed, it is callable by anyone else. This is in progress of solving.
Possible enumeration of phone numbers
By endpoint used for sending money to phone number it is possible to check if phone number is registered in the bank and therefore enumerate existing phone numbers.
This issue need’s to be solved by different business process the bank is going to implement.
VIDA access is not secured.
Details: communication happens between VIDA SDK (FE) and VIDA BE, so we are not aware of the details but we do not use credentials neither on the VIDE SDK FE side neither when our BE services connect to VIDA BE. (This latter is invisible for the EPFS testers.)
Infrastructure related
Infrastructure scaling
Infrastructure scaling is ready to be scale for production load, but it is currently not scaled and prepared for big load.
Infrastructure uptime support
The bank don’t have 24/7 uptime support, but combined DevOps team can provide support in normal Philipines and Slovak business hours (Monday to Friday from 09:00 to 17:00), so 09:00-23:00 PST.
Infrastructure management password policy
Password policy for Okta used for all accesses is not set.
Know bugs
| severity | T | Key | Summary | Status |
|---|---|---|---|---|
| P4 - Minor |
|
SM-7450 | SaFi-2022-20 SaFi Mobile Overlay Attacks | To Do |
| P4 - Minor |
|
SM-7446 | SaFi-2022-22 SaFi Mobile Sensitive Information Stored in Local Storage | In Review |
| P4 - Minor |
|
SM-7197 | SaFi-2022-16 SaFi Mobile Sensitive Information Stored in Memory | To Do |