In the week when cryptocurrency values have reached new levels some worrying research from web security firm High-Tech Bridge reveals that more than 90 percent of the most popular cryptocurrency mobile apps on Google Play have common vulnerabilities and weaknesses.
The company used its free Mobile X-Ray service to test apps for security flaws and design weaknesses that can endanger the user, data stored on the device or sent and received via the network, or the mobile device itself.
Of the top 30 applications with over 500,000 installations, 94 percent contain at least three medium-risk vulnerabilities, and 77 percent contain at least two high-risk vulnerabilities. 17 percent of applications were vulnerable to MITM attacks exposing all data to interception.
In addition, 44 percent of applications contain hard coded sensitive data including passwords or API keys, and 66 percent are using functionality that can jeopardize user privacy. Also 94 percent don’t have any hardening or protection of their backend APIs or web services.
Ilia Kolochenko, CEO and founder of High-Tech Bridge says:
Unfortunately, I am not surprised with the outcomes of the research. For many years, cybersecurity companies and independent experts were notifying mobile app developers about the risks of ‘agile’ development that usually imply no framework to assure secure design, secure coding and hardening techniques or application security testing.
However, this is just the tip of the iceberg. A mobile app usually contains much less exploitable vulnerabilities than its backend. Weakness in a mobile application may lead to breach of the mobile device or its data, while a vulnerable API on the backend may allow attackers to steal the integrity of users’ data.
To minimize security vulnerabilities and weaknesses in mobile applications, developers should carefully plan and rigorously implement security and privacy from the early stages of development. Internal and external application security testing is also critically important and should be performed on a regular basis. Requirements of various regulations, such as GDPR, should also be assessed and duly implemented.
You can find more details about the research and the Mobile X-Ray platform on the High-Tech Bridge blog.