Ioactive Warns of Vulnerabilities in 21 Most Popular Mobile Trading Apps: Hackers Able to Trade Users’ Stocks, Steal Money and Access Data

IOActive today released details of cybersecurity vulnerabilities found in many of the most popular mobile stock trading applications. The 21 apps tested have millions of users worldwide and process billions of dollars in transactions each year. IOActive has warned that the results of its tests thus far have proved trading app security to be much worse than personal banking apps tested in 2013 and 2015, and could allow malicious actors to trade a user’s stocks, steal their money, and gain insight into their net worth and investment strategy.

The test results, conducted by IOActive senior security consultant, Alejandro Hernandez, were outlined in a blog post published today. Key findings include:

• 19 percent of apps expose user passwords in clear text, meaning an attacker with physical access to the device could easily log in to trade their stocks or steal money
• 62 percent send sensitive data to log files and 67 percent store it unencrypted, allowing attackers with physical access to gain insight into a user’s net worth, investment strategy and balances
• Two apps use unencrypted HTTP channels to transmit and receive data, and 13 of the apps that use HTTPS do not check the authenticity of the remote endpoint by verifying its SSL certificate – making it possible to perform man-in-the-middle attacks to eavesdrop and tamper with the app data via pub Wi-Fi hotspots
• Three quarters (76 percent) of apps support fingerprint-reading as a security measure, which means they can be used by anyone that has their fingerprint registered to the device e.g. children or a spouse

“We have better security in the mobile apps used to check our bank balance and pay the gas bill than in the trading apps that transfer billions in shares and shape the financial market as we know it” said Hernandez. “The days of shouting on stock exchange trading floors are gone. Mobile devices and apps are the investment management tools of choice, but there is a major gap in security and understanding from both developers and users. Cybersecurity is not the first concern for people in the FinTech space, most of which are not technical, and nor are the people using the apps themselves. Most don’t know what’s sensitive and what needs to be properly secured. By comparison, it’s far easier to understand what constitutes sensitive information in a personal banking app, hence they are far better secured. Historically, security researchers have disregarded trading apps as well, probably because of a lack of understanding of money markets.”

In addition to fixing the vulnerabilities identified in these tests, Hernandez says that the industry has a responsibility to improve the maturity level of security in mobile trading apps, and that desktop/web platforms should also be tested and improved. In the blog post, Hernandez suggests that developers need to design new, more secure financial software; that brokerage firms should be required to perform regular internal audits; and that regulators should encourage brokers to implement safeguards for a better trading environment.

“As part of my research, I couldn’t find any recommended guidance for secure software development to educate brokers and FinTech companies on creating quality products,” continued Hernandez. “Regulators must do much more to encourage brokers to implement safeguards for a better trading environment and develop trading-specific guidelines for creating trading software. I wouldn’t discourage people using from using all mobile trading apps, but all security features should be enabled and apps must be used with an understanding of the potential risks involved. The stock market is not a casino where you magically get rich overnight. If you lack an understanding of how stocks or other financial instruments work, there is a high risk of losing money quickly. Cybersecurity has the same high stakes.

IOActive reached out to 13 of the brokerage firms whose trading apps presented some of the higher risks vulnerabilities, and has received two responses thus far. In total, 21 mobile trading applications were tested.

IOActive today released details of cybersecurity vulnerabilities found in many of the most popular mobile stock trading applications. The 21 apps tested have millions of users worldwide and process billions of dollars in transactions each year. IOActive has warned that the results of its tests thus far have proved trading app security to be much worse than personal banking apps tested in 2013 and 2015, and could allow malicious actors to trade a user’s stocks, steal their money, and gain insight into their net worth and investment strategy.

The test results, conducted by IOActive senior security consultant, Alejandro Hernandez, were outlined in a blog post published today. Key findings include:

• 19 percent of apps expose user passwords in clear text, meaning an attacker with physical access to the device could easily log in to trade their stocks or steal money
• 62 percent send sensitive data to log files and 67 percent store it unencrypted, allowing attackers with physical access to gain insight into a user’s net worth, investment strategy and balances
• Two apps use unencrypted HTTP channels to transmit and receive data, and 13 of the apps that use HTTPS do not check the authenticity of the remote endpoint by verifying its SSL certificate – making it possible to perform man-in-the-middle attacks to eavesdrop and tamper with the app data via pub Wi-Fi hotspots
• Three quarters (76 percent) of apps support fingerprint-reading as a security measure, which means they can be used by anyone that has their fingerprint registered to the device e.g. children or a spouse

“We have better security in the mobile apps used to check our bank balance and pay the gas bill than in the trading apps that transfer billions in shares and shape the financial market as we know it” said Hernandez. “The days of shouting on stock exchange trading floors are gone. Mobile devices and apps are the investment management tools of choice, but there is a major gap in security and understanding from both developers and users. Cybersecurity is not the first concern for people in the FinTech space, most of which are not technical, and nor are the people using the apps themselves. Most don’t know what’s sensitive and what needs to be properly secured. By comparison, it’s far easier to understand what constitutes sensitive information in a personal banking app, hence they are far better secured. Historically, security researchers have disregarded trading apps as well, probably because of a lack of understanding of money markets.”

In addition to fixing the vulnerabilities identified in these tests, Hernandez says that the industry has a responsibility to improve the maturity level of security in mobile trading apps, and that desktop/web platforms should also be tested and improved. In the blog post, Hernandez suggests that developers need to design new, more secure financial software; that brokerage firms should be required to perform regular internal audits; and that regulators should encourage brokers to implement safeguards for a better trading environment.

“As part of my research, I couldn’t find any recommended guidance for secure software development to educate brokers and FinTech companies on creating quality products,” continued Hernandez. “Regulators must do much more to encourage brokers to implement safeguards for a better trading environment and develop trading-specific guidelines for creating trading software. I wouldn’t discourage people using from using all mobile trading apps, but all security features should be enabled and apps must be used with an understanding of the potential risks involved. The stock market is not a casino where you magically get rich overnight. If you lack an understanding of how stocks or other financial instruments work, there is a high risk of losing money quickly. Cybersecurity has the same high stakes.

IOActive reached out to 13 of the brokerage firms whose trading apps presented some of the higher risks vulnerabilities, and has received two responses thus far. In total, 21 mobile trading applications were tested.