Mobile Apps Fail to Secure User Names, Passwords, User Data: Survey
Many mobile applications are storing sensitive user account information unencrypted on the mobile device, according to a recent survey of popular smartphone apps.
The survey included 100 apps spanning multiple categories, including financial management, social networking, productivity and retail, ViaForensics said Aug. 9. The digital security firm tested apps for both Android and iOS devices over an eight-month period with the ViaForensics appWatchdog audit tool.
The data stored and transmitted can include security credentials, personal financial information, private communications and sensitive company data, researchers wrote. The appWatchdog tool examines what kind of data is being stored on the device. The company has tested other apps before, notably finding flaws in the PayPal app last fall.
"Smartphone apps handle usernames, passwords and private app data, all of which should be stored securely or not at all. In the event of a lost device or malware infection, data stored insecurely can be compromised," ViaForensics wrote in the report.
User names were the most common piece of data that weren't being protected on the device, according to the survey. About 76 percent of the apps tested stored user names in cleartext on the devices, and 10 percent were doing the same with passwords, ViaForensics found, calling the situation "alarming."
"Many systems require only user name and password, so having the username means that 50 percent of the puzzle is solved," researchers wrote.
Apps from LinkedIn and Netflix were amongst the ones that did not secure user names. Netflix told ViaForensics in June it will update the app, but the version has yet to be released. In contrast, LinkedIn told Wired.com it was following Android's standard programming practices and was satisfied with the app's security.
App data, or information specifically collected by the application, was second most exposed. Researchers were able to recover app data from 69 percent of the tested apps. Mint.com's iPhone and Android apps that maintain financial account information stored user transaction history and balance information directly on the phone, and could be recovered easily. The Android version even stored the user's PIN unencrypted, ViaForensics found.
ViaForensics found that Apple's iOS-based apps scored consistently better than the Android counterparts, mirroring the recent analysis from Symantec that iOS has better encryption handling than Android.
The breakdown by app category type revealed that financial apps were "leading the way" in terms of using encryption and other security measures. In contrast, social networking apps, some of the most popular apps, were also the "least secure" group tested.
Of the 32 financial apps tested, eight, or 25 percent of the apps failed the tests run by the appWatchdog tool. ViaForensics was able to recover payment history, partial credit card numbers, security PIN, login credentials and other transaction-related data. An additional 10, or 31 percent, of the apps had some user data on the device, but it did not pose a significant risk.
None of the 19 social network apps passed the username test as they all stored the login names in plaintext. None of them passed the app data test, either, as some data, such as instant messaging logs, direct messages and passwords, was stored without any encryption on the device.
ViaForensics tested productivity apps and found them lacking in security as well. Of the 35 apps, only three passed all the tests. Even more worrying, researchers were able to recover the security question and answer required to access delivered emails from an app that was described as a "secure email service," researchers wrote.
None of the retail apps passed the tests, researchers found to their surprise. "Consumers certainly expect that retailers providing mobile apps handle such data [such as credit card information] with the highest security," researchers wrote.
Most apps were insecurely storing search history and customer information such as name and address on the device. The Groupon app for Android failed because researchers were able to recover the password.
If a lost smartphone fell into the wrong hands, "there is a serious potential threat for identity or financial theft," ViaForensics researchers concluded. A cyber-criminal who recovered all the usernames and found one password would be a "serious threat for someone who uses the same password on many accounts."