Trading apps found to be worse at security than banking apps
Trading apps found to be worse at security than banking apps

Some of the most popular share trading app have far worse security than banking apps, according to security researchers.

These applications have millions of users worldwide and process billions of pounds in traded shares, but were found by IOActive to have far worse security than most mobile banking applications.

The research found that some vulnerabilities could allow the would-be hacker to sell a user's stock, steal money and gain valuable insight into personal details of the user's net worth and investment strategy.

The test results, conducted by IOActive senior security consultant, Alejandro Hernandez found that 19 percent of apps expose user passwords in clear text, meaning an attacker with physical access to the device could easily log in to trade their stocks or steal money. Another 62 percent send sensitive data to log files and 67 percent store it unencrypted, allowing attackers with physical access to gain insight into a user's net worth, investment strategy and balances.

Hernandez also found that two apps use unencrypted HTTP channels to transmit and receive data, and 13 of the apps that use HTTPS do not check the authenticity of the remote endpoint by verifying its SSL certificate – making it possible to perform man-in-the-middle attacks to eavesdrop and tamper with the app data via pub Wi-Fi hotspots.

Three quarters (76 percent) of apps support fingerprint-reading as a security measure, which means they can be used by anyone that has their fingerprint registered to the device eg children or a spouse.

“Unfortunately, the results proved to be much worse than those for personal banking apps in 2013 and 2015,” said Hernandez in a blog post.

He adds: “Cyber-security has not been on the radar of the FinTech space in charge of developing trading apps. Security researchers have disregarded these apps as well, probably because of a lack of understanding of money markets.”

In addition to fixing the vulnerabilities identified in these tests, Hernandez says that the industry has a responsibility to improve the maturity level of security in mobile trading apps, and that desktop/web platforms should also be tested and improved. 

“As part of my research, I couldn't find any recommended guidance for secure software development to educate brokers and FinTech companies on creating quality products,” he said.

“Regulators must do much more to encourage brokers to implement safeguards for a better trading environment and develop trading-specific guidelines for creating trading software.”

He added that brokerage firms should perform regular internal audits to continuously improve the security posture of their trading platforms. Developers should analyse their apps to determine if they suffer from the vulnerabilities Hernandez outlined and also should design new, more secure financial software following secure coding practices.

“The stock market is not a casino where you magically get rich overnight. If you lack an understanding of how stocks or other financial instruments work, there is a high risk of losing money quickly. Cyber-security has the same high stakes,” he said.

Josh Mayfield, platform specialist, Immediate Insight at FireMon, told SC Media UK that these trading apps are competing with one another in a marketplace. 

“They win more users with speed, inexpensive commissions, and strong user experience.  Just wait until the first big, Equifax-style breach…then, lawmakers will act to regulate guidelines.  Until then, national regulators are likely to ‘leave it to the market' to figure out appropriate guidelines,” he said.

“The breach will happen.  So, if a trading app vendor wants to ensure success in gaining market-share, they can apply the suggestions above to demonstrate a track record of taking security seriously.  Security will become the top user priority once the first domino falls.”

Dr Guy Bunker, senior vice president - products & marketing at Clearswift, told SC Media UK that nobody has necessarily put the guidance all in one place, and it is changing as does the technology for the platform.

“One must think about what they (the developers) see as good security, for example requiring the re-presentation of fingerprints when buying from the Apple store, and incorporate that,” he said.

“Also, cyber-attacks are ever increasing in sophistication, it suits developers to stay well-informed of attack methods and how new technology and work practices can be used to mitigate their impact. Today, consumers are only one click away from the competition, so ensuring good security is critical for the reputation of the business.”