The sorry state of stock trading mobile app security revealed

Stock chart

Remember how mobile banking apps got raked over the coals for, among other security lapses, not checking security certificates?

Raked over the coals, as in, repeatedly, in 2013 and again in 2015.

Well, the bad money-handling apple hasn’t fallen very far from the we-don’t-need-no-certificate-validation tree. The only difference is that this time around, it’s stock-checking apps that are asleep at the wheel, using HTTPS without bothering to validate security certificates, or even using HTTP and sending your passwords and other data around in plain text.

A recap of what’s led up to the still-sorry state of mobile financial apps:

Back in the Dark Ages – that would be 2013 – we were pretty appalled when IOActive reported that 40% of iOS banking apps blindly accepted any old TLS certificate for secure HTTP (HTTPS) traffic, with no validation whatsoever.

When you engage in a secure connection using HTTPS you’re given a public key by the system you’re connecting to and that key is signed by a digital certificate that identifies them. Anyone can create a certificate but unless the details in it have been vouched for by a CA (Certificate Authority) it’s deemed untrustworthy.

If apps don’t bother to check if a CA has vouched for a certificate then all bets are off. Any certificate could be presented, by anybody, without setting off any alarms.

A banking app could be misdirected to a phishing site, perhaps by a bogus Wi-Fi hotspot, and you’d be none the wiser. Your mobile browser wouldn’t tell you to back out of the untrusted site and you’d be left high and dry, handing over your banking details to a crook.

Ah, those kooky 2014 banking apps! Those were the days. The painful days.

It had to get better, right? And it did, at least a little.

By December 2015, when IOActive redid the study, it found that the initial 40% of iOS banking apps that weren’t validating certificates had shrunk to “only” 12.5%.

So yes, it got better, but it still wasn’t great: those iOS banking apps were still committing a laundry list of security sins that left many of them vulnerable to things like JavaScript injections, as well as leaking user activity and the back and forth interactions between client and server – all of which should be kept locked away from prying eyes.

It’s not just financial apps that get HTTPS wrong though.

Other apps that fumble HTTPS have included Pinterest’s iOS app and Microsoft’s iOS Yammer client, both of which failed to give warnings about fake certificates when Dutch security company Securify checked them out in April 2015.

Anyway, fast forward to the current time, and IOActive has taken yet another look at mobile apps that handle our money. This time, it looked at stock-checking apps that use HTTPS but that, deja vu, don’t check the SSL certificate.

…and/or that send passwords in clear text… and/or that expose trading and account information… and/or send sensitive data to log files… and/or fail to encrypt data.

In fact, IOActive’s Alejandro Hernández says that the security of mobile trading apps – he looked at 21 of the most popular Android and iOS apps – is far worse than the banking apps the company’s looked at in the past:

The results proved to be much worse than those for personal banking apps in 2013 and 2015. Cybersecurity has not been on the radar of the [financial technology] space in charge of developing trading apps. Security researchers have disregarded these apps as well, probably because of a lack of understanding of money markets.

The new flavors of appalling that arose from testing 14 security controls in the trading apps included these findings:

  • 62% of Android and iOS apps failed to validate SSL certificates.
  • 62% of Android and iOS apps left sensitive data in the logging console.
  • 67% of Android and iOS apps failed to securely store data.*
  • 62% of Android apps contained hardcoded secrets.
  • 95% of Android apps didn’t detect if they were running on a rooted device.
  • 95% of iOS apps didn’t support privacy mode.

There’s another blast from the past in this recent research too. Most of the trading apps don’t have two-factor authentication (2FA), just like the banking apps in the 2013 and 2015 analyses.

When we reported on the banking apps in 2013, Naked Security’s Paul Ducklin pointed out that all the cool kids offer 2FA: Facebook, Twitter, Google et al.

The extra security provided by 2FA is obvious: crooks who steal or guess your password are out of luck unless they also steal your mobile phone, without which they won’t receive the additional codes they need to log in each time.

Hernández has disclosed his findings responsibly, he says, reporting them to 13 of the brokerage firms whose trading apps harboured the higher risks vulnerabilities. Only two responded.

So how can we get mobile apps to improve without people like Hernández having to pop them open, gasp in horror and write lengthy reports first? He has a suggestion:

…there are rating organizations that score online brokers on a scale of 1 to 5 stars. I glimpsed at two recent reports and didn’t find anything related to security or privacy in their reviews. Nowadays, with the frequent cyberattacks in the financial industry, I think these organizations should give accolades or at least mention the security mechanisms the evaluated trading platforms implement in their reviews.

For now, improvement rests in the hands of the brokerage firms and app developers who need to up their games.

You can mitigate some of the problems IOActive uncovered by using a VPN if you’re trading from coffee shops, airports or anywhere else with public Wi-Fi. Most of the security issues mentioned here are invisible though, with the exception of 2FA. If it isn’t a feature of a trading app you want to use you can send a message by walking away.