More than 20 of the most popular mobile trading applications used by consumers and day-traders for securities transactions contain glaring vulnerabilities that could allow attackers to sniff personal data or steal money from accounts.
Researchers from IOActive today published a report describing the scope of the security issues. More concerning, however, is the lack of response from the respective financial firms. Of the 21 apps in question, researcher Alejandro Hernandez said he sent detailed private disclosures to 13 brokerage firms and only two had acknowledged the reports as of Monday.
IOActive would not publicly disclose the affected applications since none of them had been updated with fixes yet. Nonetheless, it’s surprising to Hernandez that in such a heavily regulated industry that vulnerabilities such as clear-text passwords, unencrypted communication and cross-site scripting pass through QA testing and auditing.
“I used to work as an auditor for one of the Big Four some years ago, and I remember that the financial sector takes care of these types of things. There are so many regulations and audits,” he said. “I was very surprised when I found these issues.”
While personal banking is familiar to consumers and security professionals, trading platforms are not as well studied. By comparison, Hernandez said a similar examination of personal banking applications conducted in 2015 fared much better than today’s analysis of trading platforms. He added that that he does some personal day trading which led him to investigate the security of the platform(s) he uses.
“Not all people understand the money markets and invest money this way,” Hernandez said. “Since I do and I’m worried about my savings, I decided to take a look at the cybersecurity and trading aspect. Most researchers and companies do not understand the money markets at all. You cannot check or audit something you do not understand at all.”
Hernandez tested the security of the 21 apps on iOS 10.3.3 running on an iPhone 6 and on a rooted Android device running 7.1.1. He tested the apps against 14 security controls with some alarming results, in particular around root detection, various privacy features including various privacy mode features, secure data storage and communication, SSL certificate validation, hardcoded secrets in the code, and sensitive data stored unencrypted in the logging console among many other problems.
An attacker exploiting these problems could learn a victim’s balances, liquidity or net worth as well as gain strategic insight since some apps leak the user’s watchlist or recent history.
“In the watchlist, you have stocks you are close to or may want to buy later. If for some reason, this information is leaked or stored unencrypted, it gives you an insight of a trading strategy,” Hernandez said. “Someone else who sees this information could know what you’re about to buy or sell.”
Many of the specific vulnerabilities were lax technical controls such as XSS or certificate validation vulnerabilities, while others, such as sending unencrypted data to a logging console, could lead to manipulated trades or loss of a user’s account balance. Some of the attacks can be pulled off via man-in-the-middle attacks if the attacker is on the same local network as the user, or if the attacker has physical access to a lost or stolen device.
“The most critical vulnerabilities are the cleartext passwords—which means they are stored locally on the phone—or some trading information exposed sent to some logging file or configuration file,” Hernandez said, adding that physical access would be required to target these issues. “Once you have physical access, you can root or jailbreak the phone and have full access to the filesystem of the phone and you can do whatever you want to extract this information from the logging console or configuration files.”
Two of the apps, meanwhile, transmit data to the server and back to the device unencrypted over HTTP channels, exposing the data to a man-in-the-middle attack, Hernandez said. Thirteen of the 19 apps that do use HTTPS, however, do not check the authenticity of the remote server via certificate pinning. Therefore, if an attacker is successful in tricking a victim into installing a malicious SSL certificate allowing an attacker in a man-in-the-middle position or in control of a router or hub at an ISP, to impersonate the other end of the transaction.
Some of apps also contain a privacy mode feature that masks some personal account data such as profit-loss balances and liquidity from shoulder surfing attacks. Some of these features are incomplete, Hernandez learned, masking only some data while leaving other information exposed.
Client-side attacks are also positive where a hacker could exploit a cross-site scripting bug to inject phony forms in order to steal credentials, for example. Most of the apps, 95 percent, do not detect rooted environments.
“This is an important point because detecting a rooted device could save a lot of problems,” Hernandez said. “Not all of the apps are doing this, and are still running on rooted phones.”