An analysis of popular mobile stock trading apps showed that many of them are vulnerable to hacker attacks due to the existence of flaws and the lack of important security features.
IOActive researcher Alejandro Hernández tested a total of 21 widely used stock trading applications for Android and iOS. The expert’s tests focused on 14 security controls and they were conducted on a non-jailbroken iPhone 6 running iOS 10.3.3 and an emulation of a rooted device running Android 7.1.1.
The companies whose apps have been targeted have not been named, but Hernandez pointed out that the most secure application was developed by a brokerage firm that suffered a data breach many years ago.
Some of the issues discovered by the researcher can be exploited by having physical access to the targeted device. This includes passwords stored in clear text by 19% of the tested apps, and logging various types of sensitive data without encrypting it by roughly two-thirds of the apps.
Mobile stock trading applications typically allow users to buy or sell stock, transfer funds from their bank accounts, keep track of equity, monitor owned securities and profit, create alerts for specified thresholds, and communicate with other traders.
These operations involve highly sensitive personal and financial information, which should not be stored without encryption and should not be protected by a password that can be easily obtained by unauthorized users. In some cases, poor policies prevent users from setting strong passwords.
The list of problems identified by the researcher also includes the lack of detection for rooted devices (in the case of Android apps), the lack of proper obfuscation, hardcoded cryptographic keys and passwords, and data leakage. Hardcoded secrets were found in the code of 62 percent of the targeted applications.
IOActive has informed 13 of the brokerage firms whose apps had high risk vulnerabilities, but only two of them replied to the security firm’s emails.
“Digging in some US regulators’ websites, I noticed that they are already aware of the cybersecurity threats that might negatively impact financial markets and stakeholders,” Hernandez said in a blog post. “Most of the published content focuses on general threats that could impact end-users or institutions such as phishing, identity theft, antivirus software, social media risks, privacy, and procedures to follow in case of cybersecurity incidents, such as data breaches or disruptive attacks.”
“Nevertheless, I did not find any documentation related to the security risks of electronic trading nor any recommended guidance for secure software development to educate brokers and FinTech companies on how to create quality products,” he added.