App Makers May Be Exposing Your Sensitive Data to Hackers
Results 1 to 2 of 2

Thread: App Makers May Be Exposing Your Sensitive Data to Hackers

  1. #1
    DownForce's Avatar
    DownForce is offline BlackBerryOS Inspired
    Join Date
    Mar 2011
    Device
    Bold 9700 & Curve 3G
    OS
    6.0
    Posts
    239
    Liked
    86 times

    App Makers May Be Exposing Your Sensitive Data to Hackers

    Researchers have found that certain apps are storing sensitive data--like passwords, email, and credit card numbers--in plain text on your phone's memory, easily within the reach of hackers.

    Some popular apps store sensitive data such as user names and passwords and credit card information in plain text on your phone's memory, making the data an easy target for hackers. A Chicago-based mobile forensics company called viaForensics recently found as much after completing an audit of dozens of the most popular apps on both iOS and Android platforms. Some of the biggest-name apps--such as Android Mail for Exchange and Hotmail, Foursquare, and Groupon--stored the user's passcode and portions of the information that the user accessed through the app, in clear text on the phone's memory for versions of the apps released around the beginning of 2011.

    If a criminal had physical access to your phone, it wouldn't be very hard to find all that data and use it to commit identity theft; even remote access to your phone to harvest cached data is now becoming possible--the increase in mobile malware on Android phones and jailbroken iOS phones means that insecurities are more exploitable than ever.

    You put a lot of information on your smartphone, mostly through apps that promise a standard of security and require usernames and passwords to access your personal data, at least on the initial setup of the application. But many of those apps unnecessarily store that information on the phone when they don't have to, and they don't encrypt all of their information when they do have to store the information offline.

    Earlier this year, everyone was shocked that iPhones were storing their location data in an unencrypted file on the phone's internal memory. But a history of location data seems like small fry compared with storing a password (considering that most people reuse their passwords for multiple accounts) or credit card numbers, or messages you've sent to your boss on the phone's memory. Because phones are easily stolen, and Android phones especially have seen an increase in malicious apps (currently 2.5 times more common than they were six months ago, according to Lookout Mobile Security), storage of your private details shouldn't be taken lightly.

    You can check out the list of apps that viaForensics tested here:
    Code:
    http://viaforensics.com/appwatchdog/
    along with a summary of how much information each app revealed. ViaForensics contacted all of the app builders before publishing the results, so many of the apps tested are earlier versions that have since had the security holes fixed. But these are just a sampling of the hundreds of thousands of apps out there that keep more information stored on the phone than is absolutely necessary.

    What Kinds of Apps are Insecure?

    According to viaForensics's tests, all kinds of apps can have major security holes when storing app data and login information--apps ranging from financial planning to productivity to social networking. But it's important to note that the apps themselves are not malicious (although apps built for the sole purpose of stealing people's information exist, especially on the Android platform); nevertheless, these insecure apps might open you up to malicious attacks.

    "Someone with moderate technical skill could download the Android SDK [software development kit], and if they got the phone they could read that data. [They're] not doing anything that requires money," says Ted Eull, vice president of technology services at viaForensics. And these holes are purely the result of hasty app building, Eull says. Exposing passwords or app data in the SDK isn't at all necessary for an app to work correctly. "Why store the sensitive data in the clear in the first place? If the data's not there for harvesting, attackers won't go after it," Eull says.

    For some, having this information accessible is harmless--someone knowing your Foursquare username and password can't do much with that name and password unless they happen to be the same as the username and password for your bank account or work email.

    But certain apps, like a third-party download called "Starbucks Cards Manager" created by independent developer "evthedev" (who was not available for comment), stored the user's entire Starbucks credit card number, expiration date, and CVN (card verification number), in readable memory on the phone.

    Even more-popular finance apps like Square, the mobile credit-card reading app, kept some transaction information cached on the iPhone (the Android-based version securely stored most information accessed on Square, and passed with a warning). Although both versions of the app hid the user's password properly, on iOS the merchant's phone contained the last four digits of the buyer's credit card number, but "the ultimate fail was when you sign on the pad, the last signature [made in the app] was available on the memory of the phone," Eull says.

    Luckily, those are exceptions, not the rule. Most finance apps (like Bank of America or PayPal) scored well on security, and those apps that scored really poorly were social networking apps, like LinkedIn or AIM, where most users share less crucial information and are starting to expect a certain level of openness.

    Malware Can Exploit Security Holes

    Although the threat is still largely theoretical, malware might be the next big affront to your privacy on mobile devices. Eull noted that because user app data and login information is often stored on your phone's readable memory, it's possible for a hacker to create a piece of malware that extracts all the information you thought was secret while you're using your phone.

    Android users have faced a marked increase in instances of malware on their phones, usually acquired by downloading apps containing malicious code, and there's no reason that this kind of malicious code couldn't search for the unencrypted user names, passwords, and other app data that more popular apps are storing.

    Alicia diVittorio, Communications Director at Lookout Mobile Security, warns against downloading questionable apps that could put the information on your other "safe" apps in jeopardy. "People are downloading these apps that could give access to information on phones," diVittorio said, "and when you're using unencrypted Wi-Fi, anyone who's also on that Wi-Fi could see the data transferred. Data from the app should be encrypted, and the Wi-Fi should be encrypted," to really stop any predatory activity on your mobile device. Using 3G exclusively will eat up your data usage, but if you can't find trustworthy Wi-Fi in your location, it might be a good idea to turn your phone's Wi-Fi connection off. Also, downloading a security app like Lookout that can scan for malware on your phone can help you protect your phone from infiltration.

    While a lot of this might be worst-case-scenario speculation, it also opens up a serious discussion that needs to take place in the tech world about who is ultimately responsible for your privacy and security. Should Apple or Google police how information is stored on their operating systems? Should app developers adhere to a unified standard of security more rigorous than they do currently? Or is it up to the consumer to look out for his or her own safety, even if the vast majority of smartphone users won't ever take the time to learn about how their device works or how to protect themselves from a security breach? Lookout's diVittorio echoes the thrust of viaForensics's study, commenting that "App developers need to realize that private information requires caution, and if you're an app developer, a lot of the burden is on you to create an app that's safe."

    Although clearly not every app developer is tuned in to the mandate to protect users' security, Andrew Hoog, the CIO of viaForensics is hopeful: "In November of last year apps were storing banking information insecurely," he says, and now, "we're seeing a positive trend" in the way developers build their apps to guard against breaches. But app developers need to become better at building security a lot faster than their malware-developing counterparts, or face an ugly wake-up call of user dissatisfaction.

    Original Article
    Code:
    http://www.pcworld.com/article/237553/app_makers_may_be_exposing_your_sensitive_data_to_hackers.html#tk.rss_news




  2. #2
    ice2921's Avatar
    ice2921 is offline BlackBerryOS Grand Master Follow ice2921 On Twitter
    Join Date
    Sep 2010
    Location
    USA
    Device
    Z10
    OS
    10.0.10.684
    Carrier
    AT&T
    Posts
    2,544
    Liked
    751 times
    The more apps you have the more issues you have. I remember when this first started, everyone was downloading every app they could, blindly. Companies noticed this, and began to take advantage of all of these people information, and they still do. They use it to target people for adds, and store information about people. In the long run it comes down o what a company will do for money. Apple is notorious for this kind of behavior.
    DownForce likes this.

Similar Threads

  1. Hackers Crack GPRS Encryption
    By DownForce in forum Off Topic Discussion
    Replies: 1
    Last Post: 08-11-2011, 05:31 AM
  2. RIM Cracks the List of Top 5 Phone Makers
    By dbone15 in forum BlackBerry News and Rumors
    Replies: 1
    Last Post: 05-28-2010, 04:02 AM
  3. How much data did you use this month?
    By polar135 in forum Off Topic Discussion
    Replies: 26
    Last Post: 08-05-2009, 02:12 AM
  4. Anyone's data down?
    By Laney in forum BlackBerry Storm 9530/9500
    Replies: 5
    Last Post: 06-25-2009, 04:18 PM
  5. Replies: 2
    Last Post: 05-09-2009, 09:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •