Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Vulnerabilities Found in Many Mobile Stock Trading Apps

An analysis of popular mobile stock trading apps showed that many of them are vulnerable to hacker attacks due to the existence of flaws and the lack of important security features.

An analysis of popular mobile stock trading apps showed that many of them are vulnerable to hacker attacks due to the existence of flaws and the lack of important security features.

IOActive researcher Alejandro Hernández tested a total of 21 widely used stock trading applications for Android and iOS. The expert’s tests focused on 14 security controls and they were conducted on a non-jailbroken iPhone 6 running iOS 10.3.3 and an emulation of a rooted device running Android 7.1.1.

The companies whose apps have been targeted have not been named, but Hernandez pointed out that the most secure application was developed by a brokerage firm that suffered a data breach many years ago.

Some of the issues discovered by the researcher can be exploited by having physical access to the targeted device. This includes passwords stored in clear text by 19% of the tested apps, and logging various types of sensitive data without encrypting it by roughly two-thirds of the apps.

Mobile stock trading applications typically allow users to buy or sell stock, transfer funds from their bank accounts, keep track of equity, monitor owned securities and profit, create alerts for specified thresholds, and communicate with other traders.

These operations involve highly sensitive personal and financial information, which should not be stored without encryption and should not be protected by a password that can be easily obtained by unauthorized users. In some cases, poor policies prevent users from setting strong passwords.

Two of the trading apps analyzed by Hernandez use HTTP for data transfers and 13 of the 19 programs that do use HTTPS don’t implement SSL pinning, allowing man-in-the-middle (MitM) attacks that can result in data being stolen or altered. MitM attacks can also be used to inject malicious JavaScript code into the app.

The list of problems identified by the researcher also includes the lack of detection for rooted devices (in the case of Android apps), the lack of proper obfuscation, hardcoded cryptographic keys and passwords, and data leakage. Hardcoded secrets were found in the code of 62 percent of the targeted applications.

Stock trading app security vulnerabilities

IOActive has informed 13 of the brokerage firms whose apps had high risk vulnerabilities, but only two of them replied to the security firm’s emails.

“Digging in some US regulators’ websites, I noticed that they are already aware of the cybersecurity threats that might negatively impact financial markets and stakeholders,” Hernandez said in a blog post. “Most of the published content focuses on general threats that could impact end-users or institutions such as phishing, identity theft, antivirus software, social media risks, privacy, and procedures to follow in case of cybersecurity incidents, such as data breaches or disruptive attacks.”

“Nevertheless, I did not find any documentation related to the security risks of electronic trading nor any recommended guidance for secure software development to educate brokers and FinTech companies on how to create quality products,” he added.

Related: OPSEC in the Underground – A Look at Insider Trading

Related: Hackers Can Intercept Data From Popular iOS Apps

Related: Waledac Botnet Used in Stock Pump and Dump Spam Campaign

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.