Over 20 popular stock trading apps contain flaws that could expose users and lead to stolen money or lost personal data, according to research from IOActive.

Alejandro Hernandez, a senior security consultant for IOActive, posted the results of his examination of 21 of the most popular mobile stock trading apps. These apps process billions of dollars in transactions per year and are used by millions of people worldwide.

In total, Hernandez sent disclosures to 13 private brokerage firms. As Threatpost summarized, the response was not encouraging: Only two firms acknowledged the reports. Because there are no fixes currently available, IOActive has yet to name the specific apps tested.

Types of Problems in Stock Trading Apps

Hernandez tested security controls and found that 19 percent of the 21 apps exposed user passwords in cleartext. Without encryption enabled, a threat actor who managed to get physical access to a device could devastate an account.

Not only that, but 62 percent of apps were found to directly send important financial data to log files and systems. In this transmission effort, Hernandez found that 67 percent of data was stored at rest in an unencrypted fashion. Physical access to the device would be necessary to extract this information.

Two of the apps used an unencrypted HTTP channel for transmission and reception of data in motion. But even encrypted channels were not secure — 13 of the 19 apps using HTTPS did not check the authenticity of the remote server via a method such as certificate pinning. This means that if a threat actor could install a malicious SSL certificate, it would put the actor in a position to launch a man-in-the-middle (MitM) attack.

Threatpost observed that this same lack of certificate checking could allow MitM situations if the attacker is in control of a public Wi-Fi router or the hub at an internet service provider (ISP). Cybercriminals could impersonate the back end of the transaction.

XSS Is Probable

Malicious JavaScript or HTML could also be injected due to this lack of certificate verification. Hernandez found that 10 apps were configured to execute JavaScript code in web views, and as a result common cross-site scripting (XSS) attacks were possible. Stealing credentials with phony forms would be one example of this sort of attack.

In the IOActive post, Hernandez recommended that “regulators should develop trading-specific guidelines to be followed by the brokerage firms and fintech companies in charge of creating trading software,” which would deal with the seemingly underappreciated financial harm that these kinds of apps can cause.