Some of the most popular trading apps on the planet are riddled with vulnerabilities which could allow remote attackers to hijack accounts and steal users' money, according to new research from IOActive.
The pen testing firm decided to run the rule on 21 of the most popular mobile stock trading applications, which have millions of global users and process billions of dollars in transactions every year.
It tested 14 security controls, many of which had a high failure rate, including privacy mode (95%), SSL certificate validation (62%), secure data storage (67%), root detection (95%), sensitive data in logging console (62%) and hardcoded secrets in code (62%).
Unfortunately, 19% exposed user passwords in clear text, meaning an attacker with physical access to the device could easily log in to trade their stocks or steal money.
What’s more, nearly two-thirds (62%) sent sensitive data to log files and 67% stored that data unencrypted. This means attackers with physical access to the device could discover a user’s net worth and their investment strategy, among other things.
Two apps used unencrypted HTTP channels to transmit and receive data, while 13 of the apps that used HTTPS didn’t check the authenticity of the remote endpoint by verifying its SSL certificate. This could enable man-in-the-middle attacks designed to spy on the app and even tamper with the app data via public Wi-Fi hotspots, IOActive said.
In addition, 95% of the apps didn’t detect rooted environments on Android handsets, meaning the underlying device may be exposed to extra security risks.
Interestingly, the most secure app appraised by senior security consultant, Alejandro Hernández, was developed by a brokerage firm which had previously suffered a data breach “many years ago.”
The apps he tested were less secure than those offered by high street lenders.
“Mobile devices and apps are the investment management tools of choice, but there is a major gap in security and understanding from both developers and users. Cybersecurity is not the first concern for people in the FinTech space, most of which are not technical, and nor are the people using the apps themselves,” he argued.
“Most don’t know what’s sensitive and what needs to be properly secured. By comparison, it’s far easier to understand what constitutes sensitive information in a personal banking app, hence they are far better secured. Historically, security researchers have disregarded trading apps as well, probably because of a lack of understanding of money markets.”
He urged industry regulators to do much more to improve security standards, guidelines and education in the sector.
“As part of my research, I couldn’t find any recommended guidance for secure software development to educate brokers and FinTech companies on creating quality products,” said Hernández.