September 28, 2017 By Larry Loeb 2 min read

Over 20 popular stock trading apps contain flaws that could expose users and lead to stolen money or lost personal data, according to research from IOActive.

Alejandro Hernandez, a senior security consultant for IOActive, posted the results of his examination of 21 of the most popular mobile stock trading apps. These apps process billions of dollars in transactions per year and are used by millions of people worldwide.

In total, Hernandez sent disclosures to 13 private brokerage firms. As Threatpost summarized, the response was not encouraging: Only two firms acknowledged the reports. Because there are no fixes currently available, IOActive has yet to name the specific apps tested.

Types of Problems in Stock Trading Apps

Hernandez tested security controls and found that 19 percent of the 21 apps exposed user passwords in cleartext. Without encryption enabled, a threat actor who managed to get physical access to a device could devastate an account.

Not only that, but 62 percent of apps were found to directly send important financial data to log files and systems. In this transmission effort, Hernandez found that 67 percent of data was stored at rest in an unencrypted fashion. Physical access to the device would be necessary to extract this information.

Two of the apps used an unencrypted HTTP channel for transmission and reception of data in motion. But even encrypted channels were not secure — 13 of the 19 apps using HTTPS did not check the authenticity of the remote server via a method such as certificate pinning. This means that if a threat actor could install a malicious SSL certificate, it would put the actor in a position to launch a man-in-the-middle (MitM) attack.

Threatpost observed that this same lack of certificate checking could allow MitM situations if the attacker is in control of a public Wi-Fi router or the hub at an internet service provider (ISP). Cybercriminals could impersonate the back end of the transaction.

XSS Is Probable

Malicious JavaScript or HTML could also be injected due to this lack of certificate verification. Hernandez found that 10 apps were configured to execute JavaScript code in web views, and as a result common cross-site scripting (XSS) attacks were possible. Stealing credentials with phony forms would be one example of this sort of attack.

In the IOActive post, Hernandez recommended that “regulators should develop trading-specific guidelines to be followed by the brokerage firms and fintech companies in charge of creating trading software,” which would deal with the seemingly underappreciated financial harm that these kinds of apps can cause.

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today