Flaws in cryptocurrency management apps

The vast majority of Android mobile apps available on the official Google Play Store that are meant for the management of cryptocurrencies are vulnerable to the most common and well-known vulnerabilities, according to a report published today by Swiss cyber-security firm High-Tech Bridge.

The report was put together by scanning the most popular cryptocurrency management apps using Mobile X-Ray, a free web-based mobile app scanner that launched this month.

Mobile X-Ray performs a combination of static and dynamic analysis tests, along with simple behavior testing for privacy and malicious functionality.

Over 90% of all scanned apps were vulnerable

High-Tech Bridge researchers used Mobile X-Ray to scan 90 popular Android apps for common vulnerabilities and various weaknesses and say that over 90% of all apps "may be in trouble."

Some of these flaws can be automated part of exploitation chains included with Android banking trojans. With Bitcoin and various other cryptocurrencies reaching all-time high trading prices, the flaws in these apps expose users to theft and other financial fraud.

Apps featured well-known vulnerabilities, included hardcoded API keys and passwords, did not use encryption, and were vulnerable to MitM attacks.

Problem lies with app developers

The type of vulnerabilities the security firm discovered are inconceivable if we take into account that we're in 2017 and security experts have been preaching about these bugs for almost a decade.

Nonetheless, this is not an edge case, and these types of flaws have been found on a regular basis in all categories of mobile apps —not necessarily cryptocurrency apps— such as banking, healthcare, dating, and stock trading.

All in all, the report shows once again that the problem lays deep in the Android app development community where security is never a priority.

"Unfortunately, I am not surprised with the outcomes of the research," said Ilia Kolochenko, CEO and Founder of High-Tech Bridge. "For many years, cybersecurity companies and independent experts were notifying mobile app developers about the risks of “agile” development that usually imply no framework to assure secure design, secure coding and hardening techniques or application security testing."

The table below breaks down the study's results.

Issue 30 Apps with 100K+ installs 30 Apps with 100K-500K installs 30 Apps with 500K+ installs
Apps contained at least 3 medium-risk vulnerabilities 93% 66% 94%
Apps contained at least 2 high-risk vulnerabilities 90% 87% 77%
Apps were vulnerable to MitM attacks 87% 37% 17%
Apps contained hardcoded sensitive data including passwords or API keys 66% 34% 44%
Apps used functionality that could jeopardize user privacy 57% 17% 66%
Apps did not have any hardening or protection of their backend (APIs or web services) 70% 77% 94%
Apps sent [potentially] sensitive data without any encryption over HTTP 80% 37% 66%
Apps sent [potentially] sensitive data with weak or insufficient encryption 37% 24% 50%
Apps used SSLv3 or TLS 1.0 [banned by PCI DSS] 77% 70% 94%
Apps had backends (APIs or web services) vulnerable to POODLE vulnerability 44% 14% 0%
Apps didn’t have any protection against reverse-engineering 100% 100% 100%