By Phil Muncaster
Some of the most popular trading apps on the planet are riddled with vulnerabilities which could allow remote attackers to hijack accounts and steal users’ money, according to new research from IOActive.
The pen testing firm decided to run the rule on 21 of the most popular mobile stock trading applications, which have millions of global users and process billions of dollars in transactions every year.
It tested 14 security controls, many of which had a high failure rate, including privacy mode (95%), SSL certificate validation (62%), secure data storage (67%), root detection (95%), sensitive data in logging console (62%) and hardcoded secrets in code (62%).
Unfortunately, 19% exposed user passwords in clear text, meaning an attacker with physical access to the device could easily log in to trade their stocks or steal money.
What’s more, nearly two-thirds (62%) sent sensitive data to log files and 67% stored that data unencrypted. This means attackers with physical access to the device could discover a user’s net worth and their investment strategy, among other things.
Two apps used unencrypted HTTP channels to transmit and receive data, while 13 of the apps that used HTTPS didn’t check the authenticity of the remote endpoint by verifying its SSL certificate. This could enable man-in-the-middle attacks designed to spy on the app and even tamper with the app data via public Wi-Fi hotspots, IOActive said.
In addition, 95% of the apps didn’t detect rooted environments on Android handsets, meaning the underlying device may be exposed to extra security risks.