TD Ameritrade Android App Vulnerability

Update 6-13-15

In their 5-21-15 update, TD Ameritrade made this problem MUCH WORSE. Details at the bottom of this page.


TD Ameritrade's servers don't check the integrity of their Android app when it connects to their servers. It is therefore easy to modify the app, adding trojan code that does malicious things. An attacker who can trick people into using the trojaned app can exploit them.

This vulnerability does not affect people who are using the genuine app from the Google Play Store. It would only harm people who are tricked into installing a modified app from a Web site, email, etc.

The Proof of Concept code below merely logs the username and password, where other apps on the phone can see it, but there's nothing preventing a better programmer from sending that data, and all the other data the app has, out over the Net.

TD Ameritrade should add integrity-checking to their server-side code. Obfuscating their smali code with a real obfuscator that works, like DashO, and not just the useless Proguard, would also be an improvement.

Proof of Concept: Step by Step

Using the GenyMotion Android emulator, install the genuine App from the Google Play Store.

Pull the APK file from the device with adb, as shown below.

Decode the APK file with apktool, as shown below.

Modify the ConsumerApi.smali.smali file to steal the user ID and password, as shown below.

Build the APK and sign it, as shown below.

Drag the APK file from the dist/ directory and drop it on the emulator to install it.

Launch the app.

Click on "Log In"

Enter a user ID and password. Click "Log In".

The User ID and password are in the logs, as shown below.


I notified TD Ameritrade on Feb. 21, 2015, as shown below.

Update 5-22-15

There's a new version:

But the same Trojan still works:

Update 6-13-15

I took another look at that new version, and noticed that they made the problem MUCH WORSE. They still lack binary protections, so the app can be modified, but there's no need to modify it--the app now logs the password itself.

Here's the app I tested:

I log in with test credentials:

TD Ameritrade logs my credentials:

I went back to test the earlier version of the app, and it did not have this problem. TD Ameritrade is moving backwards.