Many popular stock trading apps feature security flaws that hackers can exploit to trade a user’s stocks, steal their money, and learn their net worth.
21 top mobile stock trading apps inspected by security firm IOActive for cyber security vulnerabilities have been found to contain many flaws that can easily be exploited by macilious actors to steal money or to gain insight into a user’s financial standing.
Following his inspection of the stock trading apps, researcher Alejandro Hernandez noted that banking apps are in general are a lot more secure compared to stock trading apps which also handle monetary transactions. The most worrying aspect about such apps is that a majority of them do not encrypt sensitive data and are thus vulnerable to infections.
As many as one in every five stock trading apps, both iOS and Android, expose user passwords in clear text, thereby leaving passwords exposed to third parties with physical access to devices where such apps are installed. By gaining access to such passwords, a hacker can sell stocks, transfer the money to a newly added bank account, and delete this bank account after the transfer is complete.
Hernandez also noted that two stock trading apps used unencrypted and age-old HTTP channel to send and receive data. However, 13 of the apps that used the new HTTPS channel failed to verify SSl signatures of remote endpoints, thereby making it easier for hackers to perform man-in-the-middle attacks and gain access to sensitive data.
Most alarmingly, Hernandez found that as many as 67% of such apps did not encrypt stored data, as against 62% that sent sensitive data to log files. Considering that robust encryption standards are usually the last lines of defence against powerful malware injections or hacking attempts, the lack of encryption in such apps indicates that financial data of users are at risk at all times.
“We have better security in the mobile apps used to check our bank balance and pay the gas bill than in the trading apps that transfer billions in shares and shape the financial market as we know it,” said Hernandez.
“Mobile devices and apps are the investment management tools of choice, but there is a major gap in security and understanding from both developers and users. Cybersecurity is not the first concern for people in the FinTech space, most of which are not technical, and nor are the people using the apps themselves. Most don’t know what’s sensitive and what needs to be properly secured,” he added.
He added that the industry should shoulder the responsibility for improving the cyber security of not only mobile apps, but also desktop/web platforms owned by stock trading firms. Not only should developers design new, more secure financial software, but brokerage firms should also perform regular internal audits to gauge the cyber security of their applications and platforms.
“The stock market is not a casino where you magically get rich overnight. If you lack an understanding of how stocks or other financial instruments work, there is a high risk of losing money quickly. Cybersecurity has the same high stakes,” he concluded.