Mobile Apps Fail to Encrypt Passwords

Mobile apps have become a big part of everyday life.  We use them to check the weather, chat with friends, order pizza, listen to music, seek medical advice, and more.  You get the point.  We’ve all become reliant on mobile apps to help us get things done.  We even user them to relax and unwind at the end of a busy day.  Whether you use an app to meditate or like playing Clash of Clans the options are growing by the day.  Unfortunately so are the risks as developers don’t always use best practices when implementing security into their applications.  This leaves users login credentials including passwords vulnerable to attackers.

As you’ll see in a moment the research team at AppBugs have found popular Android apps with major vulnerabilities that can leave your personal information including passwords at risk.

App Bugs

Incorrect HTTPS integration can lead to exposing sensitive information including username and password via man-in-the-middle (MITM) attacks.  Here’s a few of the Android apps they found with security issues along with the dates that they shared the vulnerability report with the app developers:

  • Safeway – February 27, 2015
  • Pizza Hut – February 27, 2015
  • Match.com – February 12, 2015
  • Last.fm – February 12, 2015
  • Michelin Navigation – February 12, 2015

There are other apps listed on the AppBugs site.  They include some that have since been updated to address security issues.  The apps that are no longer listed as vulnerable include WebMD, Equalizer, and PicsArt.  It does not appear the developers of the apps listed above have contacted AppBugs to have them retest to confirm the bug is fixed.  For that reason we assume each is still vulnerable.  AppBugs recommends that you stop using login and signup in the app until the problems are resolved.

Apps that gather user information is nothing new but poor implementation of HTTPS leaves us all vulnerable.  Users will assume their information is being encrypted when in reality they are open to MITM attacks.  As always we recommend using a VPN whenever you are on an unsecured network.  The lines get blurred when you think your information is being secured but the app isn’t properly protecting your data.  I suggest using AppBugs to see which of your apps may be putting you at risk.  You can follow us @VPNFan for the latest privacy news and VPN reviews.