Published by Gbaf News
Posted on September 26, 2017
7 min readLast updated: January 21, 2026
IOActive today released details of cybersecurity vulnerabilities found in many of the most popular mobile stock trading applications. The 21 apps tested have millions of users worldwide and process billions of dollars in transactions each year. IOActive has warned that the results of its tests thus far have proved trading app security to be much worse than personal banking apps tested in 2013 and 2015, and could allow malicious actors to trade a user’s stocks, steal their money, and gain insight into their net worth and investment strategy.
The test results, conducted by IOActive senior security consultant, Alejandro Hernandez, were outlined in a blog post published today. Key findings include:
“We have better security in the mobile apps used to check our bank balance and pay the gas bill than in the trading apps that transfer billions in shares and shape the financial market as we know it” said Hernandez. “The days of shouting on stock exchange trading floors are gone. Mobile devices and apps are the investment management tools of choice, but there is a major gap in security and understanding from both developers and users. Cybersecurity is not the first concern for people in the FinTech space, most of which are not technical, and nor are the people using the apps themselves. Most don’t know what’s sensitive and what needs to be properly secured. By comparison, it’s far easier to understand what constitutes sensitive information in a personal banking app, hence they are far better secured. Historically, security researchers have disregarded trading apps as well, probably because of a lack of understanding of money markets.”
In addition to fixing the vulnerabilities identified in these tests, Hernandez says that the industry has a responsibility to improve the maturity level of security in mobile trading apps, and that desktop/web platforms should also be tested and improved. In the blog post, Hernandez suggests that developers need to design new, more secure financial software; that brokerage firms should be required to perform regular internal audits; and that regulators should encourage brokers to implement safeguards for a better trading environment.
“As part of my research, I couldn’t find any recommended guidance for secure software development to educate brokers and FinTech companies on creating quality products,” continued Hernandez. “Regulators must do much more to encourage brokers to implement safeguards for a better trading environment and develop trading-specific guidelines for creating trading software. I wouldn’t discourage people using from using all mobile trading apps, but all security features should be enabled and apps must be used with an understanding of the potential risks involved. The stock market is not a casino where you magically get rich overnight. If you lack an understanding of how stocks or other financial instruments work, there is a high risk of losing money quickly. Cybersecurity has the same high stakes.
IOActive reached out to 13 of the brokerage firms whose trading apps presented some of the higher risks vulnerabilities, and has received two responses thus far. In total, 21 mobile trading applications were tested.
IOActive today released details of cybersecurity vulnerabilities found in many of the most popular mobile stock trading applications. The 21 apps tested have millions of users worldwide and process billions of dollars in transactions each year. IOActive has warned that the results of its tests thus far have proved trading app security to be much worse than personal banking apps tested in 2013 and 2015, and could allow malicious actors to trade a user’s stocks, steal their money, and gain insight into their net worth and investment strategy.
The test results, conducted by IOActive senior security consultant, Alejandro Hernandez, were outlined in a blog post published today. Key findings include:
“We have better security in the mobile apps used to check our bank balance and pay the gas bill than in the trading apps that transfer billions in shares and shape the financial market as we know it” said Hernandez. “The days of shouting on stock exchange trading floors are gone. Mobile devices and apps are the investment management tools of choice, but there is a major gap in security and understanding from both developers and users. Cybersecurity is not the first concern for people in the FinTech space, most of which are not technical, and nor are the people using the apps themselves. Most don’t know what’s sensitive and what needs to be properly secured. By comparison, it’s far easier to understand what constitutes sensitive information in a personal banking app, hence they are far better secured. Historically, security researchers have disregarded trading apps as well, probably because of a lack of understanding of money markets.”
In addition to fixing the vulnerabilities identified in these tests, Hernandez says that the industry has a responsibility to improve the maturity level of security in mobile trading apps, and that desktop/web platforms should also be tested and improved. In the blog post, Hernandez suggests that developers need to design new, more secure financial software; that brokerage firms should be required to perform regular internal audits; and that regulators should encourage brokers to implement safeguards for a better trading environment.
“As part of my research, I couldn’t find any recommended guidance for secure software development to educate brokers and FinTech companies on creating quality products,” continued Hernandez. “Regulators must do much more to encourage brokers to implement safeguards for a better trading environment and develop trading-specific guidelines for creating trading software. I wouldn’t discourage people using from using all mobile trading apps, but all security features should be enabled and apps must be used with an understanding of the potential risks involved. The stock market is not a casino where you magically get rich overnight. If you lack an understanding of how stocks or other financial instruments work, there is a high risk of losing money quickly. Cybersecurity has the same high stakes.
IOActive reached out to 13 of the brokerage firms whose trading apps presented some of the higher risks vulnerabilities, and has received two responses thus far. In total, 21 mobile trading applications were tested.
Explore more articles in the Technology category
