GET THE APP:  CURRENTLY HOT:   Android Fire TV Fire TV Forums HTC One M8 Moto 360

LinkedIn, Foursquare and Netflix on Android Store Your Passwords in Unencryped Text Files

Title says it all, folks. viaForensics, a software security firm, has found a complete lack of password encryption in three popular Android (and iOS) applications. Those applications include Foursquare, LinkedIn and Netflix. They also found a vulnerability in Square that can access the history of a user’s accepted transactions and the receipts they’ve issued. These applications store files with this sensitive data on your phone, bypassing any sort of halfway-decent secure authentication process.

I can confirm that at least Foursquare used to store your login information in an unencrypted, easy to access plain text file, so I don’t imagine things are much different for LinkedIn and Netflix. (Note: Foursquare has since updated their Android application to resolve this.)

At the forefront, freely-available login information for some of these services don’t seem harmful, but a vast majority of users are susceptible to information theft for more serious accounts if their data here is compromised. For instance, one might use the same user name and password for Netflix as they do for their email account. While I hate to assume that more than 50% of Netflix users do this, it’s probably true. The same definitely goes for LinkedIn.

LinkedIn and Square are obviously different as far as sensitive information within the service itself goes, with the former being a sensitive communication tool between colleagues and a “job search” tool, while the latter, well, I’m sure you know the severity of an insecure system for processing credit card transactions.

Fortunately, these companies are already aware of the vulnerabilities and are working to fix them. As I mentioned above, Foursquare issued an update two days ago to address the matter, but I was able to see the vulnerability because I had yet to update the application. After updating, there were no signs of my password available. Be sure to update your app as soon as possible.

Application security is important, developers. Especially if you enjoy a large pool of users who give you sensitive data in order to use your goods. I’d expect a lot more from these particular software vendors, but we’re just glad to see that they’re not twiddling their thumbs while all of this information is just freely floating about. [Wall Street Journal]




  • tjpeco

    Thankfully I don’t use any of these apps!  All the more reason for me to NOT download them by scanning the QR code.

    • http://twitter.com/Aleis Jayrock

      word! i was thinking…why put the codes there.
      they dont deserve codes until they fix this $h!t!

  • http://twitter.com/Drweird13 Brian McCann

    Those companies must have assigned their i*hone devs to design the Android apps…

  • http://twitter.com/#!/dboftlp dboftlp

    Just posted a link to this article and a blurb about app security to the LinkedIn for Android Group on LinkedIn.  Let’s see if it gets posted…

    • http://twitter.com/ikai Ikai Lan

      This doesn’t make any sense. The LinkedIn mobile server is an OAuth provider. Any chance the “stored passwords” are just stored OAuth access tokens? Those are safe to store in plaintext since they can easily be revoked or expired.

      Example endpoint:

      http://m.linkedin.com/oauth/request_token

  • droid.

    According to the WSJ
    “A hacker would need skill and luck to exploit the vulnerabilities –- either via physical access to a person’s phone or through malicious software that is installed on the device — scenarios that could open bigger security risks than those created by the password problem alone”.  Still a risk though and it is against the current best practices.

    • http://twitter.com/ikai Ikai Lan

      Yes, but having direct access to a password is deadly. Many people use the same passwords for everything.

  • coggy9

    …wonder why they hired Sony to do security….

  • http://twitter.com/cnraghu Raghavendra Nagaraja

    I searched the app directories for LinkedIn. I don’t see a password file at all. 

    False report. Please do some research and provide valid proof for such claims. 

    Don’t just help in broadcasting wrong information.

    • csaunders

      Check your applications shared preferences xml file.

      • http://twitter.com/cnraghu Raghavendra Nagaraja

        Already did… it only has member ID and an encrypted authentication string.

  • PHX_AZ

    Netflix, really?  I thought they were all concerned about tight security and that is why it has taken so long to release app to all devices, no?

  • csaunders

    This isn’t surprising, though unless the android security model gets compromised (i.e running a rooted device) there probably isn’t a huge chance of the information being leaked.

    Though, I can see why these developers haven’t implemented some form of crypto on the username:password.  Using a static key would be pointless because an attacker could easily extract it from the strings.xml or by decompiling the apk and getting it from there.

    Secondly, implementing any form of crypto is unnecessarily complicated in Java. Someone needs to build a PIN library that can easily plug into an application to give developers an easy way to protect sensitive information.

    • http://twitter.com/ikai Ikai Lan

      But that’s why you don’t *store* a password on a local device. You store a token (like an OAuth access token, hint hint) or some session identifier that can be remotely killed and is not worth much if compromised.

    • xmichaelx

      “unless the android security model gets compromised (i.e running a rooted
      device) there probably isn’t a huge chance of the information being
      leaked.”

      Or unless your phone is lost or stolen. This isn’t a problem because of hacking; it’s a problem because not everyone is in control of their phone at all times.