Mobile Trading Apps Fail Key Security Features Test

Tuesday, 26/09/2017 | 15:45 GMT by Colin Firth
  • Most of the security flaws found were severe in nature.
Mobile Trading Apps Fail Key Security Features Test
Bloomberg

Leading global Cybersecurity consultant IOActive today released a security report covering 21 of the most popular mobile trading apps, and it warns of major security flaws in all of them. In its report, it stated that the security features of the apps are worse than the personal banking apps tested in 2013 and 2015.

Register now to the London Summit 2017, Europe’s largest gathering of top-tier retail brokers and institutional FX investors

A point worth mentioning is that the trading apps generate billions of dollars worth of transactions from millions of users, and they are vulnerable to scams and losses. The test, conducted by IOActive's senior security consultant Alejandro Hernandez, mentioned the details of security flaws in a blog post published today.

  • About 19 percent of the apps expose passwords in clear text, meaning that attackers can gain access to the information if they gain physical access to the device.
  • Around 62 percent of the apps send sensitive data to log files and 67 percent store unencrypted data.
  • 2 apps use encrypted HTTPs channels to receive and send data, and 13 fail to check the authenticity of the remote endpoint by verifying its SSL certificate, making them vulnerable to hacks via public Wi-Fi hotspots.
  • 5 apps do not incorporate fingerprint-reading as a security measure.

The report has not been well received by the firms whose apps were tested. Only 2 of 13 brokerages have responded to IOActive's results.

Hernandez said: "We have better security in the mobile apps used to check our bank balance and pay the gas bill than in the trading apps that transfer billions in shares and shape the financial market as we know it.

Cybersecurity is not the first concern for people in the Fintech space, most of which are not technical, and nor are the people using the apps themselves. Most don’t know what’s sensitive and what needs to be properly secured. By comparison, it’s far easier to understand what constitutes sensitive information in a personal banking app, hence they are far better secured. Historically, security researchers have disregarded trading apps as well, probably because of a lack of understanding of money markets.

In addition to the generic IT best practices for secure software development, regulators should develop trading-specific guidelines to be followed by the brokerage firms and fintech companies in charge of creating trading software. Brokerage firms should perform regular internal audits to continuously improve the security posture of their trading platforms."

Leading global Cybersecurity consultant IOActive today released a security report covering 21 of the most popular mobile trading apps, and it warns of major security flaws in all of them. In its report, it stated that the security features of the apps are worse than the personal banking apps tested in 2013 and 2015.

Register now to the London Summit 2017, Europe’s largest gathering of top-tier retail brokers and institutional FX investors

A point worth mentioning is that the trading apps generate billions of dollars worth of transactions from millions of users, and they are vulnerable to scams and losses. The test, conducted by IOActive's senior security consultant Alejandro Hernandez, mentioned the details of security flaws in a blog post published today.

  • About 19 percent of the apps expose passwords in clear text, meaning that attackers can gain access to the information if they gain physical access to the device.
  • Around 62 percent of the apps send sensitive data to log files and 67 percent store unencrypted data.
  • 2 apps use encrypted HTTPs channels to receive and send data, and 13 fail to check the authenticity of the remote endpoint by verifying its SSL certificate, making them vulnerable to hacks via public Wi-Fi hotspots.
  • 5 apps do not incorporate fingerprint-reading as a security measure.

The report has not been well received by the firms whose apps were tested. Only 2 of 13 brokerages have responded to IOActive's results.

Hernandez said: "We have better security in the mobile apps used to check our bank balance and pay the gas bill than in the trading apps that transfer billions in shares and shape the financial market as we know it.

Cybersecurity is not the first concern for people in the Fintech space, most of which are not technical, and nor are the people using the apps themselves. Most don’t know what’s sensitive and what needs to be properly secured. By comparison, it’s far easier to understand what constitutes sensitive information in a personal banking app, hence they are far better secured. Historically, security researchers have disregarded trading apps as well, probably because of a lack of understanding of money markets.

In addition to the generic IT best practices for secure software development, regulators should develop trading-specific guidelines to be followed by the brokerage firms and fintech companies in charge of creating trading software. Brokerage firms should perform regular internal audits to continuously improve the security posture of their trading platforms."

About the Author: Colin Firth
Colin Firth
  • 213 Articles
About the Author: Colin Firth
  • 213 Articles

More from the Author

Institutional FX

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}