September 28, 2017 By Larry Loeb 2 min read

Over 20 popular stock trading apps contain flaws that could expose users and lead to stolen money or lost personal data, according to research from IOActive.

Alejandro Hernandez, a senior security consultant for IOActive, posted the results of his examination of 21 of the most popular mobile stock trading apps. These apps process billions of dollars in transactions per year and are used by millions of people worldwide.

In total, Hernandez sent disclosures to 13 private brokerage firms. As Threatpost summarized, the response was not encouraging: Only two firms acknowledged the reports. Because there are no fixes currently available, IOActive has yet to name the specific apps tested.

Types of Problems in Stock Trading Apps

Hernandez tested security controls and found that 19 percent of the 21 apps exposed user passwords in cleartext. Without encryption enabled, a threat actor who managed to get physical access to a device could devastate an account.

Not only that, but 62 percent of apps were found to directly send important financial data to log files and systems. In this transmission effort, Hernandez found that 67 percent of data was stored at rest in an unencrypted fashion. Physical access to the device would be necessary to extract this information.

Two of the apps used an unencrypted HTTP channel for transmission and reception of data in motion. But even encrypted channels were not secure — 13 of the 19 apps using HTTPS did not check the authenticity of the remote server via a method such as certificate pinning. This means that if a threat actor could install a malicious SSL certificate, it would put the actor in a position to launch a man-in-the-middle (MitM) attack.

Threatpost observed that this same lack of certificate checking could allow MitM situations if the attacker is in control of a public Wi-Fi router or the hub at an internet service provider (ISP). Cybercriminals could impersonate the back end of the transaction.

XSS Is Probable

Malicious JavaScript or HTML could also be injected due to this lack of certificate verification. Hernandez found that 10 apps were configured to execute JavaScript code in web views, and as a result common cross-site scripting (XSS) attacks were possible. Stealing credentials with phony forms would be one example of this sort of attack.

In the IOActive post, Hernandez recommended that “regulators should develop trading-specific guidelines to be followed by the brokerage firms and fintech companies in charge of creating trading software,” which would deal with the seemingly underappreciated financial harm that these kinds of apps can cause.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today