Mobile
11/29/2017
03:00 AM
Dark Reading
Dark Reading
Products and Releases
50%
50%

How Secure are the Most Popular Crypto Currencies Mobile Apps?

90% of tested cryptocurrency mobile apps in Google Play may be in trouble for common vulnerabilities and weaknesses.

Over 1300 crypto currencies exist today with over $308,694,631,252 market capitalization (at the moment of this post publication). One of the most popular and oldest cryptocurrency - Bitcoin has reached $10,000 price after several months of fluctuation, but continuous and steady growth.

A wide spectrum of mobile applications for crypto currencies were released during the last few years by various startups, independent digital experts and even licensed banking institutions. The total number of crypto currency applications in Google Play designed to store, process or trade crypto currencies has exceeded two thousand and continues to grow.

Obviously, cybercriminals could not pass on such an outstanding opportunity and are aggressively targeting all possible stakeholders of the emerging digital currency market.

Almost every week a new crypto currency exchange is compromised, causing multi-million losses to people who entrusted their coins to the exchange. Fraudsters leverage a new trend of ICO (discouraged by the European Securities and Markets Authority), gather quick cash from naïve investors and disappear just after.

Such events have already become a daily routine in the turbulent world of the new Klondike, exacerbating less frequent but highly detrimental weaknesses in crypto currencies that may wipe out few hundreds millions at once.

 

Research and Free Online Service to Test Mobile Apps

High-Tech Bridge decided to analyze another attack vector on digital currencies and their proponents: mobile applications. For this purpose, we used our free online service Mobile X-Ray that performs dynamic, static and interactive testing or mobile applications for various vulnerabilities and weaknesses including OWASP Mobile Top 10, as well as analyzes potential risks to user privacy.

We took the most popular crypto currency mobile applications from Google Play from the “Finance” category and tested them for security flaws and design weaknesses that can endanger the user, his or her data stored on the device or send/received via the network, or the mobile device itself.

 

First 30 applications with up to 100,000 installations

  • 93% of applications contained at least 3 medium-risk vulnerabilities
  • 90% of applications contained at least 2 high-risk vulnerabilities
  • 87% of applications were vulnerable MITM attacks exposing app data to interception
  • 66% of applications contained hardcoded sensitive data including passwords or API keys
  • 57% of applications were using functionality that can jeopardize user privacy
  • 70% of applications did not have any hardening or protection of their backend (APIs or web services)
  • 80% of application were sending [potentially] sensitive data without any encryption over HTTP
  • 37% of applications were sending [potentially] sensitive data with weak or insufficient encryption
  • 77% of applications were still using SSLv3 or TLS 1.0 banned by PCI DSS
  • 44% of applications had backends (APIs or web services) vulnerable to POODLEvulnerability
  • 100% of applications didn’t have any protection against reverse-engineering

The most popular vulnerabilities are (from OWASP Top 10):

  • M1 - Improper Platform Usage
  • M5 - Insufficient Cryptography
  • M2 - Insecure Data Storage

 

First 30 applications with up to 500,000 installations

  • 66% of applications contained at least 3 medium-risk vulnerabilities
  • 87% of applications contained at least 2 high-risk vulnerability
  • 37% of applications were vulnerable MITM attacks exposing all data to interception
  • 34% of applications contained hardcoded sensitive data including passwords or API keys
  • 17% of applications were using functionality that can jeopardize user privacy
  • 77% of applications did not have any hardening or protection of their backend (APIs or web services)
  • 37% of application were sending [potentially] sensitive data without any encryption over HTTP
  • 24% of applications were sending [potentially] sensitive data with weak or insufficient encryption
  • 70% of applications were still using SSLv3 or TLS 1.0 banned by PCI DSS
  • 14% of applications had backends (APIs or web services) vulnerable to POODLEvulnerability
  • 100% of applications didn’t have any protection against reverse-engineering

The most popular vulnerabilities are (from OWASP Top 10):

  • M1 - Improper Platform Usage
  • M2 - Insecure Data Storage
  • M5 - Insufficient Cryptography

 

First 30 applications with over 500’000 installations

  • 94% of applications contained at least 3 medium-risk vulnerabilities
  • 77% of applications contained at least 2 high-risk vulnerability
  • 17% of applications were vulnerable MITM attacks exposing all data to interception
  • 44% of applications contained hardcoded sensitive data including passwords or API keys
  • 66% of applications were using functionality that can jeopardize user privacy
  • 94% of applications did not have any hardening or protection of their backend (APIs or web services)
  • 66% of application were sending [potentially] sensitive data without any encryption over HTTP
  • 50% of applications were sending [potentially] sensitive data with weak or insufficient encryption
  • 94% of applications were still using SSLv3 or TLS 1.0 banned by PCI DSS
  • 0% of applications had backends (APIs or web services) vulnerable to POODLEvulnerability
  • 100% of applications didn’t have any protection against reverse-engineering

The most popular vulnerabilities are (from OWASP Top 10):

  • M1 - Improper Platform Usage
  • M2 - Insecure Data Storage
  • M5 - Insufficient Cryptography

 

Conclusions and Remediation

Ilia Kolochenko, CEO and Founder of High-Tech Bridge, comments: “Unfortunately, I am not surprised with the outcomes of the research. For many years, cybersecurity companies and independent experts were notifying mobile app developers about the risks of “agile” development that usually imply no framework to assure secure design, secure coding and hardening techniques or application security testing.

However, this is just the tip of the iceberg. A mobile app usually contains much less exploitable vulnerabilities than its backend. Weakness in a mobile application may lead to breach of the mobile device or its data, while a vulnerable API on the backend - may allow attackers to steal the integrity of users’ data.

To minimize security vulnerabilities and weaknesses in mobile applications, developers should carefully plan and rigorously implement security and privacy from the early stages of development. Internal and external application security testing is also critically important and should be performed on a regular basis. Requirements of various regulations, such as GDPR, should also be assessed and duly implemented.”

At High-Tech Bridge, to facilitate the uneasy work of mobile application developers, we have launched the Mobile X-Ray free online service with SAST, DAST and IAST capabilities for native and hybrid Android and iOS applications. Our award-winning ImmuniWeb® Mobile provides the most comprehensive manual testing of mobile app and its backend, enhanced by our proprietary machine learning technology.

Any of the applications used in the research, as well as any other applications, can be re-tested via our free service (no registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.