Over 90% of mobile cryptocurrency apps may be ‘in trouble,’ researchers say

Hold on to your Bitcoins! With the rising popularity of electronic currency, security researchers are sounding the alarm over mobile apps designed to store, process and trade crypto currencies.

Roughly 90% of a pool of 2,000 cryptocurrency mobile apps in the Finance section of the Google Play app store pose security risks, experts warn.

Currently trading at more than $11,000 apiece, the controversial Bitcoin has spurred tremendous interest in cryptocurrency – a virtual form of currency based on cryptographic algorithms.

Dozens of cryptocurrencies are available (Ethereum, Monero, Zcash, etc.), each with its own market cap – totaling a whopping $328,331,711,597.

“Obviously, cybercriminals could not pass on such an outstanding opportunity and are aggressively targeting all possible stakeholders of the emerging digital currency market,” according to High-Tech Bridge researchers.

Statistically, a new cryptocurrency gets compromised every week, inflicting millions in losses on those who take the plunge and convert their real cash into digital money in hopes of a fast and hefty return on investment.

However, the problems are only just beginning for those who invest heavily in “altcoins” (‘altcoin’ refers to crypto-coins in general).

Researchers warn that weaknesses in mobile cryptocurrency applications may lead to a breach of the mobile device or its data, while a vulnerable API could allow attackers to steal user data from the app’s server side.

The researchers performed dynamic, static and interactive testing on 2,000+ Android apps designed for cryptocurrency management and trading.

The firm tested the binaries for weaknesses, potential risks to user privacy, and for any trace of OWASP Mobile Top 10 vulnerabilities. Their findings should strike fear into the hearts of all cryptocurrency miners and/or traders.

From the first 30 applications with up to 100,000 installations: 93% contain at least three medium-risk vulnerabilities; 66% contain hardcoded sensitive data (passwords or API keys) and 80% send “potentially” sensitive data with no encryption over HTTP.

From the first 30 applications with up to 500,000 downloads, additional findings include: 37% are vulnerable to man-in-the-middle (MITM) attacks exposing all data to interception; 70% still use SSLv3/TLS 1.0 – an obsolete (and therefore hackable) cryptographic communication protocol; 14% have backends vulnerable to POODLE (a MITM exploit which leverages SSL 3.0 weaknesses).

Virtually all of the applications tested had no protection whatsoever against reverse-engineering.

Researchers put the blame on the “agile” software development movement, where security often takes a back seat to speedy development.

So, if you manage or trade altcoins, think twice before entrusting your virtual net worth to an obscure Android app that promises to let you grow your crypto-fortune on the go.

This is a Security Bloggers Network syndicated blog post authored by Filip Truta. Read the original post at: HOTforSecurity