IOActive Senior Security Consultant Alejandro Hernández analyzed 21 of the most used and well-known mobile trading apps available on the Apple and Google Play Store and found serious vulnerabilities, some of which could allow an attacker to compromise a user's account and or view their trading strategies.
Hernández tested 14 security controls including biometric authentication, automatic logout/lockout for idle sessions, privacy mode, social media/ trading community risks, encrypted communication, SSL certificate validation, session management, client-side data in logging console, secure data storage, root detection, App obfuscation, hardcoded secrets in code, signed application.
He found that 50 percent of the applications use insecure data storage, use unchecked SSL certificates, send sensitive data to logs, not enforce root detection, have hardcoded secrets in reversed source code, and don't implement root detection.
Four of the apps were found to send user password in clear text to either an unencrypted XML configuration file or to the logging console, 62 percent of the apps tested sent sensitive data to log files, and 67 percent stored unencrypted data, although physical access to the device was required to extract the information in any of the aforementioned cases.
If an attacker were to gain access to a user's device, they could extract a password from the file system relatively easy and perform unauthorized actions such as sell stock or transfer money to a newly added bank account which could then be deleted once the transfer is complete.
Hernandez said developers should analyze their apps to determine if they suffer from common vulnerabilities and use more secure coding practices. While the apps that expose cleartext passwords are insecure, they are relatively easy to fix while some apps would require more work.
“At the current state, I'd say that the most insecure to use are those ones who do not encrypt the communications (two of the apps), Hernandez said” “To turn them into secure channels would take more time than the other vulnerabilities, which could be easily patched with new implemented features, such as root detection, or ceasing to send sensitive values to the logging functionality.
Hernández said the majority of tested apps also require only a current password to link banking accounts and don't use multifactor authentication.
To address these and other issues, researchers recommended regulators develop trading-specific guidelines to be followed by the brokerage firms and FinTech companies in charge of creating trading software.
Hernández recommends users keep their trading apps updated to combat these threats.
“Enable all of the security countermeasures that your app offer, for example, some apps offer 2FA (Two-factor authentication) after the biometric one,” he said. “Others offer the automatic logout/lockout of the session after an amount of time, that's good in case you lost your phone, or is stolen.”