How secure are cryptocurrency mobile apps?
Are the mobile apps you’re using to store or handle your cryptocurrency stash, track the currencies’ price, or interact with cryptocurrency exchanges secure? Judging by the results of a recent audit by High-Tech Bridge, the chances are slim.
The security outfit has put 90 Android apps available for download on Google Play through the wringer – i.e. its Mobile X-Ray service that performs dynamic, static and interactive testing of mobile applications for security and privacy vulnerabilities – and the results are disheartening.
Audit results
The apps in question were divided in three groups: apps with up to 100,000 downloads, up to 500,000 downloads, and more than 500,000 downloads. In all three categories, the most often encountered vulnerabilities are improper platform usage, insecure data storage, and insufficient cryptography.
In the first category (>100,000 downloads), 87% of applications were vulnerable to MITM attacks exposing app data to interception, 66% contained hardcoded sensitive data including passwords or API keys, and 80% were sending (potentially) sensitive data without any encryption over HTTP (data in transit).
In the second category (>500,000 downloads), 37% of applications were vulnerable to MITM attacks, 34% of applications contained hardcoded sensitive data, and 37% were not using HTTPS.
In the third category (<500,000 downloads), the percentage of applications sporting these vulnerabilities was 17% (vulnerable to MITM), 44% (hardcoded data), and 66% (no HTTPS). Many of the apps in all categories use outdated encryption, and most did not have any hardening or protection of their backend (APIs or web services). "Unfortunately, I am not surprised with the outcomes of the research," noted Ilia Kolochenko, CEO and Founder of High-Tech Bridge. "For many years, cybersecurity companies and independent experts were notifying mobile app developers about the risks of 'agile' development that usually imply no framework to assure secure design, secure coding and hardening techniques or application security testing." "However, this is just the tip of the iceberg. A mobile app usually contains much less exploitable vulnerabilities than its backend. Weakness in a mobile application may lead to breach of the mobile device or its data, while a vulnerable API on the backend - may allow attackers to steal the integrity of users’ data."
How can you check if the apps you use are secure?
The company’s Mobile X-Ray service is free for anyone to use: upload a mobile app package (for Android or iOS) and tool will test it and provide you with the results. Of course, it doesn’t have to be a cryptocurrency app – any kind of app can be tested.
With the results in hand, you can choose to implement additional security precautions when using the apps. For example, you can make a conscious decision to avoid using them when on an insecure wireless network (e.g. most free-to-use public Wi-Fi) or to always use VPN (for encryption/added encryption).
With the cryptocurrency market soaring and the fact that stolen cryptocurrency is, in most cases, impossible to recover, cybercriminals are taking advantage of the current chaos in many ways: via bogus and compromised ICOs, wallet-stealing malware and stealthy in-browser cryptomining, by exploiting vulnerabilities in wallet offerings, by hitting blockchain platforms, cryptocurrency exchanges, and crowd-lending platforms, by exploiting unsecured cloud computing environments for cryptocurrency mining, scamming users with fake Bitcoin multiplier services, fake cryptocurrency trading apps, and so on.