On Tuesday, IOActive, a security consultancy with headquarters in Seattle, Washington, the UK, Europe and the Middle East, released the results of research into 21 of the latest versions of the most used and well-known mobile trading apps available on the Apple Store and Google Play.
Alejandro Hernandez, a senior security consultant at IOActive, found that the mobile trading apps he looked at, including TD Ameritrade, Charles Schwab, E-Trade, Fidelity and others had glaring security flaws that are easy to uncover and exploit. He points out that unlike the banking system, where information is centralized into one single financial entity leaving one point of failure rather than many, global exchange markets are different.
In global exchange markets, the information is distributed; records of who owns what, who sold/bought what, and to whom, are not stored in a single place, but in many places. This makes the valuable information, as well as the attack surface and vectors in trading environments, slightly different than those in banking systems.
14 security controls tested
Hernandez focused only on the mobile apps; desktop and web platforms were not tested. As it is, the apps he did test have millions of global users and process billions of dollars in transactions every year. He tested 14 security controls, which he says is just the tip of the iceberg in a long list of security checks for mobile apps.
Hernandez says, “Unfortunately, the results proved to be much worse than those for personal banking apps in 2013 and 2015.” He found 19 percent of the 21 apps exposed user passwords in cleartext and without encryption protections in place and granted physical access, allowing a hacker to access the user’s device and login to steal their money.
Of the 14 controls he tested, many had a high failure rate, including privacy mode (95 percent), SSL certificate validation (62 percent), secure data storage (67 percent), root detection (95 percent), sensitive data in logging console (62 percent) and hardcoded secrets in code (62 percent.).
As for insecure communication, Hernandez says, “Two apps use unencrypted HTTP channels to transmit and receive all data, and 13 of 19 apps that use HTTPS do not check the authenticity of the remote endpoint by verifying its SSL certificate (SSL pinning); therefore, it’s feasible to perform Man-in-the-Middle (MITM) attacks to eavesdrop on and tamper with data.”
How much do brokerage firms care about your security?
IOActive acted responsibly when it comes to vulnerability disclosure, and between September 6th and 8th, Hernandez sent a detailed report to 13 of the brokerage firms whose trading apps presented some of the higher risks vulnerabilities discussed in this article.
As ZDNet puts it, only two firms bothered to respond, and “this in itself says far more about the brokerage firms and their attitudes to consumer safety than anything else — and frankly, it is a pity that they are not named.”
“Regulators must do much more to encourage brokers to implement safeguards for a better trading environment and develop trading-specific guidelines for creating trading software,” Hernandez commented. “I wouldn’t discourage people using from using all mobile trading apps, but all security features should be enabled and apps must be used with an understanding of the potential risks involved.”
Surprisingly, Hernandez didn’t set out to investigate mobile trading apps. He was just checking the app he uses on his mobile phone for trading.
