A senior consultant at security firm IOActive Labs claims to have found vulnerabilities in the latest versions of 21 of the most used and well-known mobile trading apps on the Google Play Store and Apple's App Store.
Alejandro Hernández said he had only tested the mobile apps; desktop and Web versions were not tested. He added that though he had found some vulnerabilities in the backend servers these were not listed in his findings.
The mobile apps were tested on iOS 10.3.3 (iPhone 6, not jailbroken) and Android 7.1.1 (using an emulator on a rooted device).
When Hernández was contacted and asked why he did not list the apps so that consumers could be aware and avoid them, a spokesman for IOActive Labs told iTWire:
{loadposition sam08}"IOActive takes responsible disclosure extremely seriously. In this case, IOActive disclosed all vulnerabilities to the firms affected prior to release of the blog post. To give them time to effectively resolve these issues, IOActive did not reveal the names of the specific firms or applications affected."
The spokesman added: "The blog post also informs the industry and wider public of common vulnerabilities in mobile trading applications and the consequences should they be exploited.
"Consequently, potential users will be more aware of the security risks involved in such apps, including the data that may be vulnerable and how. It may allow them to better assess the mobile trading apps and security features available to them, as well as prompting them to follow cyber security best practice, such as turning on all security features and not using these apps over public Wi-Fi hotspots."
Hernández wrote: "I tested the following 14 security controls (graphic below), which represent just the tip of the iceberg when compared to an exhaustive list of security checks for mobile apps.
"This may give you a better picture of the current state of these apps’ security. It's worth noting that I could not test all of the controls in some of the apps either because a feature was not implemented (e.g. social chats) or it was not technically feasible (e.g. SSL pinning that wouldn't allow data manipulation), or simply because I could not open an account."
He said that the results he had obtained were much worse than when he had tested personal banking apps in 2013 and 2015.
The following were the issues he encountered:
Clear text passwords exposed in four apps which sent the user's password in clear text either to unencrypted XML configuration file or to the logging console. In two cases, in addition to the flaws cited, the username and passwords were authenticated through an unencrypted HTTP channel.
Trading and account information were exposed by 62% of the apps which sent sensitive data to log files. Sixty-seven percent of the apps stored the data without encrypting it, he said, adding that one needed physical access to the device to extract this data.
Insecure communication was noticed with two apps that used unencrypted HTTP channel to transmit and receive all data. Thirteen of 19 apps that used HTTPS did not check the authenticity of the remote endpoint by verifying its SSL certificate.
Authentication and session management were also badly implemented, Hernández wrote, pointing out that only five apps did not implement fingerprint reading. But he pointed out that there was a downside to using the fingerprint database as the prints of all users on a device would have full access to the trading accounts (graphic on right).
Of the 21 apps, only one supported privacy mode, but even this was implemented badly, with columns of figures that were not supposed to be visible easily read.
Client-side data validation was haphazard, with the possibility of cross-site scripting attacks existing in 10 apps.
Additionally, 20 of the 21 apps did not check to see if they were running in a rooted environment. And while one did check, all it did was to show a warning screen and allow the user to continue using the app.
Hernández also found hardcoded secrets in code and app obfuscation, with six of the Android installer filers easily reverse engineered. He said that only two of the firms he had notified between 6 and 8 September had responded to his emails by 26 September when he posted details of the flaws.
"Digging in some US regulators’ websites, I noticed that they are already aware of the cyber security threats that might negatively impact financial markets and stakeholders," he wrote.
"Nevertheless, I did not find any documentation related to the security risks of electronic trading nor any recommended guidance for secure software development to educate brokers and FinTech companies on how to create quality products."
Graphics: courtesy IOActive Labs