Jun, 09 2011

Title says it all, folks. viaForensics, a software security firm, has found a complete lack of password encryption in three popular Android (and iOS) applications. Those applications include Foursquare, LinkedIn and Netflix. They also found a vulnerability in Square that can access the history of a user’s accepted transactions and the receipts they’ve issued. These applications store files with this sensitive data on your phone, bypassing any sort of halfway-decent secure authentication process.

I can confirm that at least Foursquare used to store your login information in an unencrypted, easy to access plain text file, so I don’t imagine things are much different for LinkedIn and Netflix. (Note: Foursquare has since updated their Android application to resolve this.)

At the forefront, freely-available login information for some of these services don’t seem harmful, but a vast majority of users are susceptible to information theft for more serious accounts if their data here is compromised.¬†For instance, one might use the same user name and password for Netflix as they do for their email account. While I hate to assume that more than 50% of Netflix users do this, it’s probably true. The same definitely goes for LinkedIn.

LinkedIn and Square are obviously different as far as sensitive information within the service itself goes, with the former being a sensitive communication tool between colleagues and a “job search” tool, while the latter, well, I’m sure you know the severity of an insecure system for processing credit card transactions.

Fortunately, these companies are already aware of the vulnerabilities and are working to fix them. As I mentioned above, Foursquare issued an update two days ago to address the matter, but I was able to see the vulnerability because I had yet to update the application. After updating, there were no signs of my password available. Be sure to update your app as soon as possible.

Application security is important, developers. Especially if you enjoy a large pool of users who give you sensitive data in order to use your goods. I’d expect a lot more from these particular software vendors, but we’re just glad to see that they’re not twiddling their thumbs while all of this information is just freely floating about. [Wall Street Journal]

stars Further Reading