September 28, 2017 By Larry Loeb 2 min read

Over 20 popular stock trading apps contain flaws that could expose users and lead to stolen money or lost personal data, according to research from IOActive.

Alejandro Hernandez, a senior security consultant for IOActive, posted the results of his examination of 21 of the most popular mobile stock trading apps. These apps process billions of dollars in transactions per year and are used by millions of people worldwide.

In total, Hernandez sent disclosures to 13 private brokerage firms. As Threatpost summarized, the response was not encouraging: Only two firms acknowledged the reports. Because there are no fixes currently available, IOActive has yet to name the specific apps tested.

Types of Problems in Stock Trading Apps

Hernandez tested security controls and found that 19 percent of the 21 apps exposed user passwords in cleartext. Without encryption enabled, a threat actor who managed to get physical access to a device could devastate an account.

Not only that, but 62 percent of apps were found to directly send important financial data to log files and systems. In this transmission effort, Hernandez found that 67 percent of data was stored at rest in an unencrypted fashion. Physical access to the device would be necessary to extract this information.

Two of the apps used an unencrypted HTTP channel for transmission and reception of data in motion. But even encrypted channels were not secure — 13 of the 19 apps using HTTPS did not check the authenticity of the remote server via a method such as certificate pinning. This means that if a threat actor could install a malicious SSL certificate, it would put the actor in a position to launch a man-in-the-middle (MitM) attack.

Threatpost observed that this same lack of certificate checking could allow MitM situations if the attacker is in control of a public Wi-Fi router or the hub at an internet service provider (ISP). Cybercriminals could impersonate the back end of the transaction.

XSS Is Probable

Malicious JavaScript or HTML could also be injected due to this lack of certificate verification. Hernandez found that 10 apps were configured to execute JavaScript code in web views, and as a result common cross-site scripting (XSS) attacks were possible. Stealing credentials with phony forms would be one example of this sort of attack.

In the IOActive post, Hernandez recommended that “regulators should develop trading-specific guidelines to be followed by the brokerage firms and fintech companies in charge of creating trading software,” which would deal with the seemingly underappreciated financial harm that these kinds of apps can cause.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today