back to article Mobile stock trading apps riddled with security holes

Mobile stock trading apps are riddled with security bugs. Stock trading apps have millions of users worldwide and process billions of pounds in traded shares but the security of the apps compares poorly with comparable mobile banking applications, security firm IOActive warns. Alejandro Hernandez, senior security consultant …

  1. Pascal Monett Silver badge
    FAIL

    An interesting development

    Here we are at the apex of money and IT, and they still don't put in the money to ensure things are secure.

    I'm guessing it's because time is money, so it is better to risk being hacked rather than take longer to get an app that can get your entire portfolio hacked ? Um, somehow that doesn't sound so good at second reading.

    No, things will carry on until some golden boys get ruined because of poor security. That will be the call to 1) have a few class-action lawsuits (hey, the lawyers aren't going to miss a golden opportunity like that, now will they ?) and 2) have other golden boys invest serious money in doing it right.

    Because there's never enough money to do it right the first time, but always enough to do it over again.

    1. Christian Berger

      IT security is like partying...

      .... yes it may cost a bit of money, but lack of money typically isn't the problem!

      The problem here is that most mobile developers are people who are fairly new to programming. It's just a trendy way to start, just like web development used to be, or Windows GUI development with Delphi or VB in the 1990s.

      Therefore you mostly get unexperienced people working there. People who have "seen the world of IT" rarely mess with mobile app development.

      So what's left over are the people who have very little idea of what they are doing. Some of them will have an overinflated ego and charge lots of money, while most of them will work for standard wages.

      Just like partying, IT security is about people and their mindsets, not money. You can have a great party with virtually no money, and you can spend a lot of money on a dull party.

    2. John Smith 19 Gold badge
      Unhappy

      "better to risk being hacked rather than take longer to get an app that..entire portfolio hacked ?"

      That's like asking do you want a punch in the face or a knee to the groin, when you don't want either.

      But note, it's not their money that's in danger.

      It's yours.

      And your personal details.

      The app is merely a a tool for the trading company to get faster access to your money.

      IOW from their PoV security not that necessary, and knowing more about their customers (as cheaply as possible) is always nice (for them).

  2. MiguelC Silver badge

    Would be helpful

    to know which apps were tested on each platform and what failings do they individually have...

    1. David Kelly 2

      Re: Would be helpful

      Ditto. Which apps did (or didn’t) do what?

    2. FrogsAndChips

      Re: Would be helpful

      It's explained in the article:

      IOActive [...] is currently going through the disclosure process hence its decision not to release the names of the apps it tested.

      You can expect to see later the names of the apps whose editors fail to act on the findings.

    3. phuzz Silver badge

      Re: Would be helpful

      As FrogsandChips points out, the article answers your question, but if you're still curious, they say they tested the top 21 apps, which should be easy enough to figure out, and that one belonging to a company that was hacked a long time ago was secure.

      So provided you can work out which that one app is (out of twenty one candidates) you've got the only one that you should feel even vaguely safe using.

      There's even a screenshot of one of the crap ones.

  3. Claptrap314 Silver badge

    Of course, the other problem is that if you are talking to an IoT potential employer, and you bring up security concerns, they "decide to look for additional candidates". This is worse than the Corvair.

    1. Joe Werner Silver badge

      @claptrap

      ... but those decision makers (ha!) who don't want to get responsible developers, "die soll der Blitz beim Scheißen treffen". Ancient (well... could be ;) ) German curse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022