11/30/2017 12:00:17 PM
Most cryptocurrency mobile apps are vulnerable
Cryptocurreny Security,Mobile Cryptocurrency Apps,Mobile Financial App
App Developer Magazine

Most cryptocurrency mobile apps are vulnerable

Christian Hargrave Christian Hargrave in Security Thursday, November 30, 2017

Mobile cryptocurrency app report finds that many apps are vulnerable to cybersecurity threats after testing the Google Play Store's Top 30 Financial apps.

Over 1,300 crypto currencies exist today with over $300 Billion market capitalization. One of the most popular and oldest cryptocurrency - Bitcoin has almost reached $10,000 price after several months of fluctuation, but continuous and steady growth.

A wide spectrum of mobile applications for cryptocurrencies were released during the last few years by various startups, independent digital experts and even licensed banking institutions. The total number of crypto currency applications in Google Play designed to store, process or trade crypto currencies has exceeded two thousand and continues to grow.

Obviously, cybercriminals could not pass on such an outstanding opportunity and are aggressively targeting all possible stakeholders of the emerging digital currency market.

Almost every week a new cryptocurrency exchange is compromised, causing multi-million losses to people who entrusted their coins to the exchange. Fraudsters leverage a new trend of ICO (discouraged by the European Securities and Markets Authority), gather quick cash from naïve investors and disappear just after.

Such events have already become a daily routine in the turbulent world of the new Klondike, exacerbating less frequent but highly detrimental weaknesses in crypto currencies that may wipe out few hundred millions at once.  

Research and Free Online Service to Test Mobile Apps

High-Tech Bridge decided to analyze another attack vector on digital currencies and their proponents: mobile applications. For this purpose, they used their free online service Mobile X-Ray that performs dynamic, static and interactive testing or mobile applications for various vulnerabilities and weaknesses including OWASP Mobile Top 10, as well as analyzes potential risks to user privacy.

They took the most popular crypto currency mobile applications from Google Play from the “Finance” category and tested them for security flaws and design weaknesses that can endanger the user, his or her data stored on the device or send/received via the network, or the mobile device itself.

The most popular vulnerabilities are (from OWASP Top 10):

  • Improper Platform Usage
  • Insecure Data Storage
  • M5 - Insufficient Cryptography

For the first 30 applications with over 500,000 installations

  • 94% of applications contained at least 3 medium-risk vulnerabilities
  • 77% of applications contained at least 2 high-risk vulnerability
  • 17% of applications were vulnerable MITM attacks exposing all data to interception
  • 44% of applications contained hardcoded sensitive data including passwords or API keys
  • 66% of applications were using functionality that can jeopardize user privacy
  • 94% of applications did not have any hardening or protection of their backend (APIs or web services)
  • 66% of application were sending [potentially] sensitive data without any encryption over HTTP
  • 50% of applications were sending [potentially] sensitive data with weak or insufficient encryption
  • 94% of applications were still using SSLv3 or TLS 1.0 banned by PCI DSS
  • 0% of applications had backends (APIs or web services) vulnerable to POODLE vulnerability
  • 100% of applications didn’t have any protection against reverse-engineering

Ilia Kolochenko, CEO and Founder of High-Tech Bridge, comments: “Unfortunately, I am not surprised with the outcomes of the research. For many years, cybersecurity companies and independent experts were notifying mobile app developers about the risks of “agile” development that usually imply no framework to assure secure design, secure coding and hardening techniques or application security testing.


Your name and email will not be public or shared in any way.

Securing Your Cloud: IBM z/VM Security for IBM z Systems and LinuxONE

The necessary steps to secure your environment for all of the components that are involved in a z Systems cloud infrastructure that uses IBM z/VM and Linux on z Systems. 

A new way to manage your development projects

Learn the best ways to organize your app development projects, and keep code straight, clients happy, and breathe a easier through launches.

The Latest Nerd Ranch Guide (3rd Edition) to Android Programming

Write and run code every step of the way, using Android Studio to create apps that integrate with other apps, download and display pictures from the web, play sounds, and more. Each chapter and app has been designed and tested to provide the knowledge and experience you need to get started in Android development.

Starting your own app business?

How to create a profitable, sustainable business developing and marketing mobile apps.