Cryptocurrency apps with millions of downloads are exposing your data to hackers
Half of tested apps with more than 500,000 installations had weak encryption.
Some of the most popular cryptocurrency apps on Google Play, the official Android marketplace, have severe security issues that could leave digital money open to hackers, research suggests.
With the total number of cryptocurrency apps now available exceeding 2,000, cybersecurity firm High-Tech Bridge analysed some of the most popular in an attempt to find privacy risks.
Taking the first 30 applications in Google Play's Finance section with up to 100,000 installations, it found 90% contained at least two high-risk vulnerabilities.
In addition, 93% of the tested apps contained at least three medium-risk flaws, 87% were open to data interception – or Man in the Middle (MitM) attacks – while not a single one stopped reverse-engineering.
Of the first 30 applications with more than 500,000 installations, 94% contained at least three medium-risk issues. Also 77% had at least two high-risk bugs.
Furthermore, the firm said half of the most popular software was sending potentially sensitive data with "weak or insufficient encryption" – which is used to protect user details.
It noted that 94% used outdated encryption standards that are known to be open to hackers.
"Unfortunately, I am not surprised with the outcomes of the research," commented Ilia Kolochenko, CEO and founder of High-Tech Bridge, in a statement.
"For many years, cybersecurity companies and independent experts were notifying mobile app developers about the risks of agile development that usually imply no framework to assure secure design, secure coding and hardening techniques or application security testing."
Cryptocurrency is frequently the target of hackers and cybercriminals, and the fresh analysis only bolsters the idea that key security issues – if left unattended – will help to enable future financial theft. Bitcoin on Tuesday (28 November) soared past $10,000 in value per coin.
According to Kolochenko, the findings were just the "tip of the iceberg".
He continued: "A mobile app usually contains much less exploitable vulnerabilities than its backend. Weakness in a mobile application may lead to breach of the mobile device or its data, while a vulnerable API on the backend – may allow attackers to steal the integrity of users' data.
"To minimise vulnerabilities and weaknesses in mobile applications, developers should carefully plan and rigorously implement security and privacy from the early stages of development."
The firm's research did not reveal the names of the tested applications as some bugs may remain.