Thursday, June 9, 2011

Some Top Android Apps Put Data at Risk w/ Insecure Password Storage

via (Digits Blog) -

You’d think the spate of Internet security breaches this spring would have companies on their toes. But when it comes to wireless apps, some are still making rookie mistakes. Computer security firm viaForensics has found the applications for top Internet companies LinkedIn Corp., Netflix, Inc., Foursquare and Square, Inc. stored various forms of users’ personal data in plain text on a mobile device, putting sensitive information at risk to computer criminals.

The Android applications of LinkedIn, Netflix and Foursquare stored user names and passwords in unencrypted form on their Google-powered devices. Storing that data in plain text violates a commonly accepted best practice in computer security. Since many people tend to use the same usernames and passwords across any number of sites, the failing could help hackers penetrate other accounts.

ViaForensics also found the iPhone version of Square’s mobile payments app exposed a user’s transaction amount history and the most recent digital signature of a person who signed an electronic receipt on the app. A hacker would need skill and luck to exploit the vulnerabilities –- either via physical access to a person’s phone or through malicious software that is installed on the device — scenarios that could open bigger security risks than those created by the password problem alone.

Still, the opening is a concern. “Data should not be stored on a phone,” said Andrew Hoog, chief investigative officer of viaForensics, which is based in Chicago. If data is stored on a phone, he said, it should be encrypted.


Earlier this year, OWASP announced a new "Mobile Security Project" with a new Mobile Top 10 Risks list (currently in draft). This “Top 10” initiative is intended to help organizations determine how to best apply development and security resources to better protect their mobile applications and data. This insecure storage of client-side data is the first risk in the list.

Mobile Code Security: Guide to Improving the Security of Your Mobile Application

No comments:

Post a Comment