90% of crypto-currency apps in Google Play deemed risky

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 29 Nov 2017
Over 1 300 crypto-currencies exist today, with over $326 billion market capitalisation.
Over 1 300 crypto-currencies exist today, with over $326 billion market capitalisation.

Over 90% of the most popular crypto-currency mobile apps from Google Play are vulnerable to attacks.

This is according to Swiss-based Web security company High-Tech Bridge, which tested the apps for common vulnerabilities and weaknesses. The results were released today.

Over 1 300 crypto-currencies exist today, with over $326 billion market capitalisation, according to Crypto-Currency Market Capitalisations.

Bitcoin, one of the most popular and oldest crypto-currencies, reached an all-time high above $10 000 yesterday on major exchanges and digital currency indexes.

High-Tech Bridge says a wide spectrum of mobile applications for crypto-currencies were released during the last few years by various start-ups, independent digital experts, and even licensed banking institutions.

It notes the total number of crypto-currency applications in Google Play designed to store, process or trade crypto-currencies has exceeded 2 000 and continues to grow.

"Obviously, cyber criminals could not pass on such an outstanding opportunity and are aggressively targeting all possible stakeholders of the emerging digital currency market," says Ilia Kolochenko, CEO and founder of High-Tech Bridge.

He points out that almost every week, a new crypto-currency exchange is compromised, causing multimillion-dollar losses to people who entrusted their coins to the exchange.

High-Tech Bridge decided to analyse another attack vector on digital currencies and their proponents: mobile applications.

For this purpose, the Web security company used its online service Mobile X-Ray, which performs testing on mobile applications for various vulnerabilities and weaknesses, including OWASP Mobile Top 10, as well as analyses potential risks to user privacy.

The firm took the most popular crypto-currency mobile applications from Google Play from the "Finance" category and tested them for security flaws and design weaknesses that can endanger the user, the data stored on the device or sent/received via the network, or the mobile device itself.

For the first 30 applications with up to 100 000 installations, High-Tech Bridge found 93% contained at least three medium-risk vulnerabilities, 90% contained at least two high-risk vulnerabilities, 87% were vulnerable to man in the middle attacks exposing app data to interception, 66% contained hardcoded sensitive data including passwords or application programming interface (API) keys, and 57% were using functionality that can jeopardise user privacy.

The firm also discovered 70% did not have any hardening or protection of their backend (APIs or Web services), 80% were sending potentially sensitive data without any encryption over HTTP, 37% were sending potentially sensitive data with weak or insufficient encryption, 77% were still using SSLv3 or TLS 1.0 banned by PCI DSS, 44% had backends (APIs or Web services) vulnerable to POODLE vulnerability, and 100% didn't have any protection against reverse-engineering.

"Unfortunately, I am not surprised with the outcomes of the research," says Kolochenko. "For many years, cyber security companies and independent experts were notifying mobile app developers about the risks of 'agile' development that usually imply no framework to assure secure design, secure coding and hardening techniques or application security testing."

However, he notes, this is just the tip of the iceberg. "A mobile app usually contains much less exploitable vulnerabilities than its backend. Weakness in a mobile application may lead to breach of the mobile device or its data, while a vulnerable API on the backend may allow attackers to steal the integrity of users' data."

To minimise security vulnerabilities and weaknesses in mobile applications, Kolochenko says developers should carefully plan and rigorously implement security and privacy from the early stages of development.

"Internal and external application security testing is also critically important and should be performed on a regular basis. Requirements of various regulations, such as GDPR [General Data Protection Regulation], should also be assessed and duly implemented."