A study of 90 cryptocurrency mobile applications available on Google Play found that 90 percent of them contain security vulnerabilities or privacy risks.
Web security company High-Tech Bridge conducted the research, using dynamic, static, and interactive testing to search mobile apps for weaknesses, including the top ten mobile flaws listed by the Open Web Application Security Project (OWASP).
“We took the most popular cryptocurrency mobile applications from Google Play from the ‘Finance' category and tested them for security flaws and design weaknesses that can endanger the user, his or her data stored on the device or send/received via the network, or the mobile device itself,” High-Tech Bridge reported in a Nov. 29 blog post.
The company divided the apps into three groups of 30: the most popular apps with a maximum of 100,000 installations, the top apps with up to 500,000 installations, and the top apps with more than 500,000 installations.
When combined together, 84.6 percent of the apps were determined to contain at least two high-risk vulnerabilities, while 84.3 percent were found with a minimum of three medium-risk bugs.
Nearly half of the apps, 47 percent, were deemed vulnerable to man-in-the-middle attacks, while 48 percent were found to contain hardcoded sensitive data such as passwords or API keys. And 46.6 percent were said to feature functionality that can endanger user privacy.
Moreover, researchers observed that 80.3 of the apps lacked any kind of hardening or protection on their back-end APIs or web services, while 19.3 percent have back-ends that can be exploited with the POODLE vulnerability.
Many of the apps have encryption weaknesses as well: 61 percent send data without any encryption over HTTP, while 37 percent were found to have insufficient encryption altogether.
Finally, 100% of the applications don't have any reliable protection against reverse-engineering, the study reveals.
The three vulnerabilities from the OWASP that were found most frequently across all 90 cryptocurrency apps were improper platform usage, insecure data storage, and insufficient cryptography.
“For many years, cybersecurity companies and independent experts were notifying mobile app developers about the risks of ‘agile' development that usually imply no framework to assure secure design, secure coding and hardening techniques or application security testing,” said Ilia Kolochenko, CEO and founder of High-Tech Bridge. “However, this is just the tip of the iceberg. A mobile app usually contains much less exploitable vulnerabilities than its backend. Weakness in a mobile application may lead to breach of the mobile device or its data, while a vulnerable API on the backend may allow attackers to steal the integrity of users' data.”