Mobile applications that facilitate stock trading are riddled with cybersecurity vulnerabilities and could be leaving your passwords and financial details open to hackers, researchers claim.
An expert from IOActive, Alejandro Hernández, analysed 21 of the most used and well-known trading applications on Google Play Store and the Apple Store – and quickly found a number of issues.
Trading apps typically let users add funds to accounts via bank transfers, receive news updates, make purchase orders and monitor market performance.
Using two devices, running iOS 10.3.3 on an iPhone 6 and Android 7.1.1 via an emulator, Hernández tested biometric authentication, privacy modes, lockout times for idle sessions, encryption techniques, root detection, social media risks, secure data storage and more.
His research found that everything from account numbers to passwords were left exposed.
In four apps passwords were sent in cleartext, while the majority did not enforce two-factor authentication, Hernández said in a blog post this week (26 September).
Others sent data without adequate encryption and he found that at least 13 applications were open to data interception, or "man in the middle" (MitM), attacks.
In some cases, however, physical access to the device was required to extract the data.
Only one of the top 21 trading apps had a privacy mode to protect customers' information from "shoulder-surfing" attacks, which involve data being exposed on screens in public places.
"Cybersecurity has not been on the radar of the Fintech space in charge of developing trading apps," the researcher warned.
"Security researchers have disregarded these apps as well, probably because of a lack of understanding of money markets," he added. "There's still a long way to go."
IOActive disclosed the vulnerabilities to the relevant brokerage companies between 6 September and 8 September, but only two replied via email. It remains unclear if bugs will be patched.
The applications were not named in order to help protect customers and reputations, IOActive said.
"Developers should analyse their apps to determine if they suffer from the vulnerabilities I have described in this post, and if so, fix them," Hernández advised.
"There's still a long way to go to improve the maturity level of security in mobile trading apps. Regulators should encourage brokers to implement safeguards for a better trading environment.
"Brokerage firms should perform regular internal audits to continuously improve the security posture of their trading platforms.
"Developers should design new, more secure financial software following secure coding practices [and] users should enable all of the security mechanisms their apps offer."