Many Popular Crypto-Related Mobile Apps Fail to Protect Users

July 06, 2022
By Special Guest
Brian Reed, Brian C. Reed, Chief Mobility Officer, NowSecure -

The popular cryptocurrency mobile app MetaMask recently had two major security vulnerabilities. In December 2021, a software flaw enabled cybercriminals to mint and redirect digital assets such as NFTs. Then in April 2022, an iCloud data backup function made users vulnerable to phishing attacks in which one collector lost $650,000. Indeed, software security issues in crypto mobile apps enabled criminals to steal $1.22 billion in cryptocurrency during the first three months of 2022.

A NowSecure April 2022 benchmark analysis of nearly 200 popular IOS and Android cryptocurrency wallet and exchange apps showed nearly 65% failed to meet basic privacy and security standards. The analysis also found more than one third of the sample group had high risk security flaws. Some of the world’s most widely used mobile cryptocurrency apps put millions of users at risk because they expose sensitive data, use insecure cryptography or network connections.

Crypto App Usage Is Booming

Mobile cryptocurrency apps have surged in popularity in the last year. Coinbase now has over 73 million users and RobinHood and are rising in the app store ranks. Even CashApp, PayPal and Vemno have stepped into the crypto arena by allowing users to buy and store Bitcoins. This fast-moving, loosely regulated market combined with rapid mobile adoption have made cryptocurrency-related apps the fastest growing subset in the finance category.

But as our NowSecure analysis found, many popular crypto apps have security vulnerabilities.

These issues reside within the code itself and stem from developers using malicious open-source code or mistakenly writing insecure code from the start. Additionally, outdated or infected software libraries, misconfigured network connections and improper file permissions within the software make it easier for attackers to collect user data, seize control of an app or hijack the device altogether.

Insufficient testing and poor governance allow these security and privacy bugs to escape into the wild. Alarmingly, many of the mobile apps NowSecure reviewed failed to meet even minimum industry standards for security and privacy established by the Open Web Application Security Project (OWASP) Mobile Project.

NowSecure Methodology

Our review includes mobile apps available on the Apple App Store and Google Play store as of April 2022. Because developers release new code as frequently as daily or weekly, these values may change quickly. Our review includes apps for digital wallet mobile and cryptocurrency exchanges.

We scored mobile apps on a scale of 0-100 and assigned a pass or fail letter grade from A (100-90), B (89-80), C (79-70), D (69-60) or F (59 or less). Mobile apps that scored an A or B represent high-quality, low-risk apps considered the most secure and have been verified in testing to protect credentials, encrypt data, transactions and PII and properly use permissions.

The mobile apps that scored a C (79-70) have medium risks and should be used with caution and monitored on a regular basis. Mobile apps in the C range may leak sensitive information or have excessive permissions that are unnecessary, such as a budgeting app that gains permissions to access a contact address book, GPS data or a camera.

Apps that scored a D or F (69 or less) are high risk and should not be used until developers fix the security bugs. Failing mobile apps have known software vulnerabilities developers should address immediately, such as leaking unencrypted user ID or password or account info over a network or being open to man-in-the-middle attacks or data scraping.

How Secure Are Your Digital Assets?

In March of 2021, some users were duped out of coins by a fake mobile app disguised as a Trezor wallet companion. Unfortunately the mobile app stores are not well equipped to stop every malicious or vulnerable application from residing on their sites.

Criminal mobile app developers can submit apps to the app store then transform them through updates into phishing apps. From there they can collect user data until the app store finds out, removes the mobile apps, and bans the developers. As crypto adoption increases, new initiates in the crypto app will become prime targets for cyberattacks.

Our review shows that most of the mobile cryptocurrency-related mobile apps holders and traders trust appear to have serious security and privacy flaws. These bugs allow hackers to change wallet addresses and/or collect personal information, eroding the trust cryptocurrencies aim to achieve. Several high-risk apps are susceptible to man-in-the-middle attacks that give threat actors an easy way to steal data.

“The largest problem I see is one of contracted developers providing products to teams that don't understand mobile security best practices or mobile security and privacy standards,” says Russel Waters, Senior DevOps Engineer for NowSecure. “Blockchain developers aren’t necessarily mobile developers or security professionals. Thus they are unaware, unable or unwilling to audit or fix issues. Many crypto projects use mobile apps as a gimmick to further marketing and adoption without regard for the end user’s security and privacy.”

Meeting the Challenge

Developers building crypto apps should ensure they’re secure by upskilling on secure coding practices and continuously testing them throughout the software development lifecycle with an automated mobile appsec testing tool. If your employees or corporate finance team uses crypto apps, continuously monitor them for security, privacy and compliance risks to determine if they’re safe for use.

About the authorAs NowSecure Chief Mobility Officer, Brian Reed brings decades of experience in mobile, apps, security, dev and operations management including NowSecure, Good Technology, BlackBerry, ZeroFOX, BoxTone, MicroFocus and INTERSOLV working with Fortune 2000 global customers, mobile trailblazers and government agencies.  At NowSecure, Brian drives the overall go-to-market strategy, solutions portfolio, marketing programs and industry ecosystem. With more than 25 years building innovative products and transforming businesses, Brian has a proven track record in early and mid-stage companies across multiple technology markets and regions. As a noted speaker and thought leader, Brian is a dynamic speaker and compelling storyteller who brings unique insights and global experience. Brian is a graduate of Duke University.

Edited by Erik Linask

Share this Page


Social media is impacting the value of your cryptocurrency. This cross-platform audit will show how to improve consumer and influencer sentiment.