HK’s Android stock trade mobile apps fail security posture test

HK's Android stock trade mobile apps fail security testA security study on Hong Kong’s Android-based stock trading mobile applications (STMAs) revealed alarming results. Among the 140 Android STMAs under evaluation for 20-plus security criteria, more than 86% fail to meet the top five criteria. All of them (100%) fail to pass two evaluation criteria: malicious code injection and dynamic debugging attack.

Conducted by Mobile Security Research Lab, a member of the Hong Kong Wireless Technology Industry Association (WTIA), the study downloaded 140 Android STMAs. Listed on Hong Kong Exchange, these apps were analyzed in between April to July 2017. Security researcher Paul Chow said among these apps, all of them were evaluated by automation tools to analyze 22 security criteria and 73 STMAs were randomly picked for further investigation by adding three security criteria for manual analysis.

High percentage of insecurity

Chow said the total of 25 security criteria were selected based the OWASP’s 2016 top 10 mobile application risk. Among these criteria, 15 of them were listed as high severity. But a large number of STMAs fail to pass these criteria, they include malicious code injection (100%), root detection (86%), screen hijack exploit (83%) and data backup (78%).

Dynamic debugging was rated as medium severity, but 100% of the STMAs were classified as insecure in this criterion. Only four criteria were fully passed, as the STMAs do not include the related features.

The findings are also compared with similar studies conducted by Professional Information Security Association (PISA) in the past two years. When comparing the ability to bring secure communication (one of the 25 security criteria), the situation has improved with 63% of the STMAs did not pass this criterion in 2015, but 44% did in 2017.

“Hong Kong people cannot live without using their mobile apps,” said Chow. “I sincerely hope the developers, after reading this report, to put priority in improving the security level of their apps.”

Missing 2FA

In addition to failing these criteria, most of the STMAs did not implement two-factor authentication (2FA), even some provide dual passwords authentication. Chow said the lack of using 2FA could expose the apps to vulnerabilities including malicious code injection, root detection and keystroke logger.

Frankie Leung, president of ISC2 Hong Kong Chapter added that 2FA has been deployed in many banks and well recognized in the finance sector, but many securities firm operators chose to ignore its significance. He noted cost as the major concern in making such investment.

“Most STMAs users demand for speed, in order place the right order at the right time, but lack the awareness of security,” added John Chiu, honorary chairman of WTIA. “When consumers start demanding for more secured STMAs, the securities firms are likely to invest in security.”

Raising alerts to developers, public and authorities

“These alarming results reveal a deep-rooted problem in the security of mobile apps which involve online payment, and signal the urgency of actions needed,” stated the report. “Owners of such apps are encouraged to adopt security control measures in their software development life cycle (SDLC).”

Aiming to help mobile developers create more secured STMAs, the Mobile Security Research Lab also issued a guideline provide best practices for mobile apps development.

“Mobile apps have become so much of our daily life. We have taken for granted and neglected the security risks that we are exposed to,” added Chiu. “This report reveals the potential risk, and is a very good checklist for both apps developers and the consumers using the apps day by day.”

Although the scoring of each individual mobile application is not available in the report, Leung from ISC2 also advisor of the study said they are available for the STMA owners upon request. To raise awareness among the regulatory bodies, he added that the report, together with the scoring for each mobile application, will be shared with local authorities like SFC and HKMA.

“We are also considering sharing the data with the Consumer Council,” he said.

Engaging students

Another major objective of this study is to train and raise local cybersecurity talents. As the lead of the research, Chow said the Mobile Security Research Lab commissioned nine students from the Vocational Training Council’s Institute of Vocational Education (IVE) Chai Wan.

“It demonstrates the seamless cooperation between the business sector and education sector create a win-win situation, and further potential for cooperation of a similar sort,” stated the report. 

Read more on