White hat hackers at the Norweigan security firm Promon say a common weakness in some mobile phone company's operating systems can be abused to access the two candidates' apps.
It came just days after Mr Trump, 74, falsely told a campaign rally in Tuscon, Arizona that "nobody gets hacked". In 2016, three Dutch hackers claimed to have breached the president's Twitter account.
"The president’s statement sadly reflects a widely believed sentiment that secure passwords will protect you from hackers and that hacking, in general, doesn’t affect the average citizen," said Promon chief technology officer Tom Lysemose Hansen.
"Sadly, this isn’t the case. Absolutely nothing is 'unhackable' and even the most secure, high profile accounts are vulnerable should the user fall victim to a phishing attack which seeks usernames and passwords."
"The claim that 'nobody gets hacked' is simply untrue and — given the influence of the president — can have dangerous impacts on the behaviour of hundreds of thousands of people," he added.
On Monday, the president told thousands of supporters at a Make American Great Again rally that it was extremely difficult for people to get hacked.
"To get hacked you need somebody with 197 IQ and he needs about 15 per cent of your password," he said.
He had been referring to the C-SPAN political editor Steve Scully, who was recently suspended after lying about his Twitter account getting hacked.
The technical skills required to breach the two campaign apps was minimal, according to Mr Hansen.
"Regardless of whether you are new to the world of hacking or are a world-leading security researcher, it is not difficult to hack these apps," he said.
"Due to this critical Android vulnerability being so well-known, hackers can easily hijack these apps and overlay fake screens".