Mobile stock trading apps ignore critical flaw warnings

IOActive discovered vulnerabilities in today's 21 most popular trading apps -- but the vendors couldn't care less.


IOActive has discovered severe security issues with today's most popular stock trading applications, but it appears that the developers behind the apps are not interested.

On Tuesday, the security firm released the results of research into 21 popular mobile stock trading applications available on iOS and Android, which have millions of users worldwide and process billions of dollars in transactions per year.

Exploiting these vulnerabilities can not only lead to the leak of user data, but can allow threat actors to trade a user's stocks, steal their funds, and spy on their net worth and investment strategies, which could then be used to conduct additional fraudulent trading.

Among the findings by Alejandro Hernandez, IOActive senior security consultant, was that 19 percent of the 21 apps exposed user passwords in cleartext and without encryption protections in place, and granted physical access, attackers could cause havoc.

"During testing, I noticed that most of the apps require only the current password to link banking accounts and do not have two-factor authentication (2FA) implemented, therefore, no authorization one-time-password (OTP) is sent to the user's phone or email," the researcher said.

In addition, 62 percent of apps sent sensitive data to log files and systems -- of which 67 percent was stored in an unencrypted fashion, and two of the apps use unencrypted HTTP channels to transmit and receive data.

In total, 13 out of 19 applications which use HTTPS do not check the authenticity of the remote endpoint by verifying its SSL certificate, which gives attackers the opportunity to perform Man-in-the-Middle (MiTM) attacks to eavesdrop on communication and tamper with application data.

The researcher also says that attackers could inject malicious JavaScript or HTML code into server responses due to this failure to check certificates. Ten of the apps are configured to execute JavaScript code, and so it is possible to implement Cross-site Scripting (XSS) attacks.

The apps also contained other security concerns, such as easy reverse-engineering of APKs, web browsing trust level errors, and other information leaks.

While IOActive would not name the apps or vendors involved, after reaching out to 13 of the brokers with the worst vulnerabilities, only two bothered to respond.

This in itself says far more about the brokerage firms and their attitudes to consumer safety than anything else -- and frankly, it is a pity that they are not named.

In these cases, if a security firm reaching out is not enough to prompt them to change their outlook on cybersecurity, exposure should.

It may place users in immediate danger of compromise if vulnerabilities, proof-of-concept (PoC) codes and names were released publicly, but for every day these vendors choose to ignore such glaring issues, these traders are in danger of having their money stolen, their information spied upon and their activities leaked, in any case.

"Regulators must do much more to encourage brokers to implement safeguards for a better trading environment and develop trading-specific guidelines for creating trading software," Hernandez commented. "I wouldn't discourage people using from using all mobile trading apps, but all security features should be enabled and apps must be used with an understanding of the potential risks involved."

"The stock market is not a casino where you magically get rich overnight," the researcher added. "If you lack an understanding of how stocks or other financial instruments work, there is a high risk of losing money quickly. Cybersecurity has the same high stakes."