Skip to main content
banner image
venafi logo

Machine Identities Undervalued by Stock Trading Apps [Yet Again]

Machine Identities Undervalued by Stock Trading Apps [Yet Again]

stock trading app vulnerability
October 25, 2017 | Scott Carter

Time and again we see evidence that the importance of machine identities to security is severely under-acknowledged. A new investigation by IOActive reveals that most mobile apps for stock trading are not entirely secure and could potentially allow a hacker to hijack the communications of the mobile apps. (More about that later) But this potential oversight is not altogether surprising. With rigid SLAs and compressed timelines for continuous development, security is just not top of mind for developers.

Here’s the simple security step that most developers aren’t thinking about. Machines talk to other machines, whether they are servers, laptops, applications or mobile devices. Those communications must be secure. Encryption gives users the assurance that their machine is communicating with the machine it should be talking to and that those communications are secure from eavesdropping. Keys and certificates are the tools that the machine uses to validate the machine identities on both sides of the communications.

Here’s where it gets nasty. If you allow your machine’s identity to become compromised, you run the risk of a stranger taking control of your machine, impersonating you and doing things you probably don’t want them to be doing. Much of the mobile app world (and others) just don’t seem to realize the impact of loosely controlled machine identities. That was certainly the case with the majority of stock trading apps investigated by IOActive.

IOActive researcher Alejandro Hernández looked at 21 leading stock trading apps and found that 68% of Android and iOS apps failed to validate SSL certificates. What does this mean and why is it serious? Naked Security breaks it down, “When you engage in a secure connection using HTTPS you’re given a public key by the system you’re connecting to and that key is signed by a digital certificate that identifies them. Anyone can create a certificate but unless the details in it have been vouched for by a CA (Certificate Authority) it’s deemed untrustworthy.” What’s the impact? “If apps don’t bother to check if a CA has vouched for a certificate then all bets are off. Any certificate could be presented, by anybody, without setting off any alarms.”

Granted, it is a bit surprising that certificate security could be so lax for apps that have so much potential financial impact. But it becomes downright alarming when you remember that this is not our first time down this road. The industry should have learned its lesson when banking apps faced similar problems with online banking security in 2013. At that time, IOActive found that 40% of iOS banking apps accepted TLS certificates without validating them. (Even two years later IOActive discovered that 12.5% of banking apps still did not validate certificates.)

If an app does not properly validate a certificate, it opens the door to security risks such as man-in-the middle attacks and increases the likelihood of users accessing phishing sites.

It appears that we have hit snooze one too many times on the certificate security wake up call. It’s past time that we realized the importance of protecting machine identities, especially for apps that support the financial industry. One way to improve that awareness is to build certificate management into the development process. DevOps automation is one tactic that will help ensure that proper certificate security measures are not overlooked.

How secure are the apps that your enterprise relies on? Can you track and validate mobile certificates?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat