Cryptocurrency apps have severe security vulnerabilities, but do investors care?
A market cap of over $350 billion, daily volumes in excess of $10 billion, fast rising prices, a growing number of investors and little to no regulation all combine to make the cryptocurrency space a prime target for hackers. What's more, security is not exactly a main priority for many investors and exchanges, as numerous thefts go to show.
Making things even more complicated is the fact that lots of cryptocurrency apps, that let investors and trader store coins, have dangerous vulnerabilities that hackers can exploit to steal users' funds.
This is based on a report from security firm High-Tech Bridge, which analyzed the top 30 crypto apps in the Finance section on Google Play. High-Tech Bridge looked at apps with up to 100,000 installs, between 100,000 and 500,000 installs and over 500,000 installs, to cover some of the most-popular titles available to Android users.
When it comes to crypto apps with over 500,000 installs, 77 percent have at least two high-risk vulnerabilities and 94 percent have at least three medium-risk ones. Nearly half (44 percent) have hardcore passwords or API keys -- which, as any security-conscious person would tell you, is bad practice.
It does not get any better when we look at data encryption, as most of those apps send data unencrypted over HTTP. Half send data that is weakly encrypted. Even worse, 94 percent of those crypto apps rely on SSLv3 or TLS1.0, both of which are deemed unsecure by experts due to dangerous vulnerabilities in their code.
Also, no app that High-Tech Bridge analyzed has any sort of protection against reverse-engineering. The good news is that at least the data does not reach servers vulnerable to POODLE -- if that's any consolation.
Things are pretty similar (meaning, bad) for the other two categories. High-level vulnerabilities are more likely to be found in apps with less than 500,000 installs and the chance of MITM attacks is higher too.
"To minimize security vulnerabilities and weaknesses in mobile applications, developers should carefully plan and rigorously implement security and privacy from the early stages of development. Internal and external application security testing is also critically important and should be performed on a regular basis. Requirements of various regulations, such as GDPR, should also be assessed and duly implemented," says High-Tech Bridge CEO and founder Ilia Kolochenko.
But since investors do not seem to be highly concerned with security risks (considering that the volumes are growing and the prices are rising at an incredible pace, even though hundreds of millions of dollars were only recently locked in a major Ethereum wallet, for instance), developers lack a major incentive to fix the problems.