In what can be described as a major threat, a security firm has warned that popular mobile stock trading applications are riddled with vulnerabilities, spelling more trouble for them.
Security vendor IOActive recently reviewed 21 of the most used mobile apps for investment trading on Google Play and Apple Store. It was revealed that majority of them were exposing millions of users worldwide to various security risks.
The applications enable users to do a variety of things from buying and selling stock to funding accounts, keeping track of equity and available buying power as well as creating alerts for specific thresholds.
“I tested the 14 security controls, which represent just the tip of the iceberg when compared to an exhaustive list of security checks for mobile apps,” said Alejandro Hernandez, senior security consultant for IOActive. “The exercise showed that some of the most well known and most used mobile trading apps are even more insecure than some personal banking apps were back in 2013 when IOActive conducted similar tests”.
Hernandez further added, “The user would never have to see the logging console, but for attackers with physical access to the phone it’s a gold mine. Data in the log files can also be read by other applications, including malware, thereby opening a way for remote data exfiltration”.
“On the other hand, if the phone is stolen or lost, it’s easy to extract valuable information, such as the investment portfolio and money balances,” Hernandez warned.
Painting a bleak picture overall, the sensational review brought forward following weaknesses:
- Only one trading app supports “Privacy Mode,” which protects the customers’ private information displayed on the screen in public areas where shoulder-surfing attacks are feasible.
- At least four of the applications stored the user’s password in plaintext without encryption in either a configuration file within the phone or in the logging console.
- More than 60 percent of the apps sent sensitive data to log files, and 67 percent stored it unencrypted.
- In two applications, an unencrypted HTTP channel was used for authentication in addition to logging the username and password.
During the review, it was also found out that 10 of the applications were configured to execute JavaScript code, giving attackers a way to trigger Cross-Site Scripting attacks.
Most of the applications that were reviewed had sensitive data like cryptographic keys and third-party service partner passwords hardcoded in the apps, while 10 had sensitive and confidential data, such as internal hostnames and IP addresses of the internal environments where the apps were developed or tested.
As a part of their action plan, IOActive has reportedly notified the details of its research findings to 13 brokerage firms whose trading applications had high-risk flaws. The company said that only two firms have responded so far.
