Trading and investment apps are ripe for hackers to exploit as they are not as secure as some banking platforms. On top of that, technology that the platforms are based on such as cryptocurrency and decentralized finance are still new and not well understood. Over the last few years, more people than ever before are moving to investment apps to manage their stocks, mutual funds and other digital assets. In this blog, we’ll discuss the top 5 cyber attacks against investment apps and how to solve them.
Security Challenges with Investment Apps
Studies have shown 77% of financial apps have at least one major vulnerability that can lead to a data breach. 88% of financial apps fail cryptographic tests, meaning hackers can break through the encryption used in these apps to get confidential customer and payment data or tamper with the app. Each data breach, including breach of customer and payment data, cost companies on average over $4M in lost business and internal records.
Fintech Industry Cybersecurity Checklist – Top 5 Cyber Attacks on Investment Apps and How to Solve Them
Fake investment apps
Fake investment apps, impersonating well-known, legitimate, and trusted brands that include Barclays, Gemini, Kraken, TDBank, and Binance, have lured people to unknowingly send funds to cybercriminals.
In one example, a malicious app masqueraded as a trading company based in Asia. Victims were lured through social media and a dating site to download the fake app. The victims then open accounts through the fake app, and their funds are transferred to cybercriminals.
The fake apps are published through a “Super Signature process” that has been abused to bypass security protections and mechanisms used by official app repositories.
To protect against fake investment apps, it’s recommended you use anti-tampering to prevent hackers from repackaging or resigning your app. Use Mobile Piracy Prevention to ensure Android and iOS apps will not be copied or become trojan apps after the app is published to the public app store. Validate that apps signed for Apple App Store and Google Play cannot be distributed through any other app stores and verify the integrity of the app bundle and all its contents at runtime.
Investment apps are being attacked by malware such as Xenomorph. Xenomorph deploys overlay attacks, where a window is placed on top of a legitimate application. The window prompts the user for credentials and the data is harvested and used to illegally transfer funds or for other malicious purposes.
To protect against overlay attacks, it’s recommended to detect when overlay screens are being used on top of a digital wallet and either (1) the shut down the app to protect the app or (2) send notifications to users so that they might contact the mobile wallet provider to achieve other enforcement actions when a threat is detected. Here’s more information how protect against overlay attacks and prevent keyloggers.
Stolen private keys in investment apps expanding digital asset offerings
Private keys are everything in crypto and decentralized finance. Hundreds of millions of dollars have been stolen from financial institutions and individuals because private keys were stolen. To make it easier for individual investors to manage private keys, investment apps initially offered custodial wallets. But now, as investment apps continue to expand their crypto asset coverage, companies like Robinhood are offering non-custodial wallets. Non-custodial wallets mean users must take care of their own private keys. That’s scary given many investors are new to crypto and taking care of their private keys. Education can help but not enough for many app makers. Investment app makers I’ve spoken to are looking for an in-app solution.
Gaining access to a device and elevating privileges is often the first thing a hacker does as part of stealing private keys or other confidential information. On a jailbroken or rooted device, an attacker has much more control over the underlying operating system, file system and any app running on the device, all of which allows them to access mobile data stored in or by mobile wallet and mobile payment apps. To prevent this class of attack, mobile wallet developers and security professionals should prevent the mobile wallet from running on jailbroken or rooted devices, including blocking advanced rooting and root hiding tools like Magisk and Jailbreak bypass tools such as Liberty Lite. To make sure confidential data is not exposed, ensure that all digital wallet data stored locally is encrypted at rest and use advanced white box cryptography and threat aware encryption keys to encrypt app sandbox, encrypt files, strings, resources, preferences, strings, native libraries.
Data harvesting in investment apps
As discussed earlier, many financial apps have weak encryption. In my research on the top 5 attacks on investment apps, I also found a major investment app uses an unencrypted SQL lite database in their Android app, making it easier for hackers to get confidential customer or payment data stored in the app.
Unencrypted data in the application sandbox or SD card, in preference areas like NSUserDefaults, or in external areas such as clipboard, give hackers the ability to harvest that data for their own malicious purposes. To help protect against data harvesting, we recommend application-level encryption, as a way of protecting locally stored data, no matter where the data resides i.e., internal to the app itself, in preference areas, or in clipboards.
To harvest data, hackers also attack communication between the client (investment app) and “server”. The data-in-transit, including transaction amount, passwords, passphrases, are all part of this communication. To protect these communications, it is highly recommended to enforce SSL/TLS for all communications to/from investment apps, including minimum TLS version, enforcing cipher suites and other measures. To defend against this event, developers of investment apps should consider a holistic Man-in-the-Middle defense.
Synthetic Fraud in investment apps
Modified versions of investment apps used with emulators and simulators, or on device malware can be used by hackers to create fake accounts, perform malicious trades, transfer cryptocurrency from one investment app to another. To protect against this class of attack, it’s recommended to implement runtime application self protection (RASP) methods, particularly anti-tampering, anti-debugging and preventing emulator protections. Best practices also suggest to include defense against malicious use of ADB for method hooking or other ways to harm your app.
Keeping Pace with Innovation
While not exactly one of the top 5 cyber attacks on investment apps, keeping pace with innovation is critical to survival as new investment apps are launched and new features are added to investment apps every day. Investment app makers are all vying for the same investment dollars and attention. Given all the innovation that is going on, whether it’s adding BNPL functionality or evolving to super apps, hackers know investment apps are juicy targets. Investment app makers need a way to keep pace with that innovation while securing the app.
With Appdome, Cybersecurity and DevSecOps teams have a system to select the protections needed in each build and then build the required protections into each app, without coding or SDKs. Because Appdome is a system, organizations don’t start from scratch to protect each mobile app. Organizations can leverage existing Appdome protection templates, build on top of these templates to meet any compliance objective, respond to attacks and new threats as they emerge, and adapt and pass pen tests or stay ahead of fraud, malware or attackers – all while keeping up with the pace of innovation need to compete with other investment app makers.
I’d be happy to discuss these recommendations with you or design a security solution for your investment app.