App Makers May Be Exposing Your Sensitive Data to Hackers
By Megan Geuss
Some popular apps store sensitive data such as user names and passwords and credit card information in plain text on your phone’s memory, making the data an easy target for hackers. A Chicago-based mobile forensics company called viaForensics recently found as much after completing an audit of dozens of the most popular apps on both iOS and Android platforms.
Some of the biggest-name apps–such as Android Mail for Exchange and Hotmail, Foursquare, and Groupon–stored the user’s passcode and portions of the information that the user accessed through the app, in clear text on the phone’s memory for versions of the apps released around the beginning of 2011.
If a criminal had physical access to your phone, it wouldn’t be very hard to find all that data and use it to commit identity theft; even remote access to your phone to harvest cached data is now becoming possible–the increase in mobile malware on Android phones and jailbroken iOS phones means that insecurities are more exploitable than ever.
You put a lot of information on your smartphone, mostly through apps that promise a standard of security and require usernames and passwords to access your personal data, at least on the initial setup of the application. But many of those apps unnecessarily store that information on the phone when they don’t have to, and they don’t encrypt all of their information when they do have to store the information offline.
Earlier this year, everyone was shocked that iPhones were storing their location data in an unencrypted file on the phone’s internal memory. But a history of location data seems like small fry compared with storing a password (considering that most people reuse their passwords for multiple accounts) or credit card numbers, or messages you’ve sent to your boss on the phone’s memory. Because phones are easily stolen, and Android phones especially have seen an increase in malicious apps (currently 2.5 times more common than they were six months ago, according to Lookout Mobile Security), storage of your private details shouldn’t be taken lightly.
You can check out the list of apps that viaForensics tested here, along with a summary of how much information each app revealed. ViaForensics contacted all of the app builders before publishing the results, so many of the apps tested are earlier versions that have since had the security holes fixed. But these are just a sampling of the hundreds of thousands of apps out there that keep more information stored on the phone than is absolutely necessary.
What Kinds of Apps are Insecure?
According to viaForensics’s tests, all kinds of apps can have major security holes when storing app data and login information–apps ranging from financial planning to productivity to social networking. But it’s important to note that the apps themselves are not malicious (although apps built for the sole purpose of stealing people’s information exist, especially on the Android platform); nevertheless, these insecure apps might open you up to malicious attacks.
“Someone with moderate technical skill could download the Android SDK [software development kit], and if they got the phone they could read that data. [They’re] not doing anything that requires money,” says Ted Eull, vice president of technology services at viaForensics. And these holes are purely the result of hasty app building, Eull says. Exposing passwords or app data in the SDK isn’t at all necessary for an app to work correctly. “Why store the sensitive data in the clear in the first place? If the data’s not there for harvesting, attackers won’t go after it,” Eull says.
For some, having this information accessible is harmless–someone knowing your Foursquare username and password can’t do much with that name and password unless they happen to be the same as the username and password for your bank account or work email.
But certain apps, like a third-party download called “Starbucks Cards Manager” created by independent developer “evthedev” (who was not available for comment), stored the user’s entire Starbucks credit card number, expiration date, and CVN (card verification number), in readable memory on the phone.
Even more-popular finance apps like Square, the mobile credit-card reading app, kept some transaction information cached on the iPhone (the Android-based version securely stored most information accessed on Square, and passed with a warning). Although both versions of the app hid the user’s password properly, on iOS the merchant’s phone contained the last four digits of the buyer’s credit card number, but “the ultimate fail was when you sign on the pad, the last signature [made in the app] was available on the memory of the phone,” Eull says.
Luckily, those are exceptions, not the rule. Most finance apps (like Bank of America or PayPal) scored well on security, and those apps that scored really poorly were social networking apps, like LinkedIn or AIM, where most users share less crucial information and are starting to expect a certain level of openness.
Malware Can Exploit Security Holes
Although the threat is still largely theoretical, malware might be the next big affront to your privacy on mobile devices. Eull noted that because user app data and login information is often stored on your phone’s readable memory, it’s possible for a hacker to create a piece of malware that extracts all the information you thought was secret while you’re using your phone.
Android users have faced a marked increase in instances of malware on their phones, usually acquired by downloading apps containing malicious code, and there’s no reason that this kind of malicious code couldn’t search for the unencrypted user names, passwords, and other app data that more popular apps are storing.
Alicia diVittorio, Communications Director at Lookout Mobile Security, warns against downloading questionable apps that could put the information on your other “safe” apps in jeopardy. “People are downloading these apps that could give access to information on phones,” diVittorio said, “and when you’re using unencrypted Wi-Fi, anyone who’s also on that Wi-Fi could see the data transferred. Data from the app should be encrypted, and the Wi-Fi should be encrypted,” to really stop any predatory activity on your mobile device. Using 3G exclusively will eat up your data usage, but if you can’t find trustworthy Wi-Fi in your location, it might be a good idea to turn your phone’s Wi-Fi connection off. Also, downloading a security app like Lookout that can scan for malware on your phone can help you protect your phone from infiltration.
While a lot of this might be worst-case-scenario speculation, it also opens up a serious discussion that needs to take place in the tech world about who is ultimately responsible for your privacy and security. Should Apple or Google police how information is stored on their operating systems? Should app developers adhere to a unified standard of security more rigorous than they do currently? Or is it up to the consumer to look out for his or her own safety, even if the vast majority of smartphone users won’t ever take the time to learn about how their device works or how to protect themselves from a security breach? Lookout’s diVittorio echoes the thrust of viaForensics’s study, commenting that “App developers need to realize that private information requires caution, and if you’re an app developer, a lot of the burden is on you to create an app that’s safe.”
Although clearly not every app developer is tuned in to the mandate to protect users’ security, Andrew Hoog, the CIO of viaForensics is hopeful: “In November of last year apps were storing banking information insecurely,” he says, and now, “we’re seeing a positive trend” in the way developers build their apps to guard against breaches. But app developers need to become better at building security a lot faster than their malware-developing counterparts, or face an ugly wake-up call of user dissatisfaction.