An Android logo desk gnome is standing atop a defeated iPhone.
Whether it's Android or iPhone, mobile app security holes exist. (Photo Credit: CC BY/Miki Yoshihito/Flickr)

Countless consumers today rely upon the convenience and entertainment of mobile apps. There has been an unspoken assurance that personal data is safe, but as Chicago-based computer security firm viaForensics suggests, maybe we should have received that promise in writing. According to a new study by the company, top app makers such as LinkedIn, Netflix, Foursquare and Square store sensitive user data unencrypted in plain text files on mobile devices. Such files can easily be accessed by unscrupulous hackers, conceivably facilitating identity theft.

LinkedIn, Netflix, Foursquare and Square security holes detected

On Android-powered devices, LinkedIn, Netflix and Foursquare store usernames and passwords in unencrypted format, reports the Wall Street Journal. Emails sent by the apps in question are also visible, including those relating to the user’s Netflix movie queue. The iPhone version of Square’s mobile payments app was also found to expose transaction amount history the most recent digital signature of a person who signed a receipt in-app.

This violates the commonly accepted best practices of the computer security industry. As many people use the same username and password across a wide range of sites – from banking and social networking to shopping and more – the danger malicious hackers and identity thieves could pose is obvious. A thief with physical access to a user’s phone or malicious software installed on the device could exploit the security hole.

“Data should not be stored on a phone,” said Andrew Hoog, chief investigative officer of viaForensics. At the very least, Hoog believes sensitive data should be encrypted.

Security not top priority

App makers are looking to get their products ready and out the door so they can derive profit from the highly competitive mobile app market as soon as possible. Hoog suggests that data security, while considered, is not priority one.

Many app makers consider the storage of some sensitive data to be necessary. According to Square, username and the last four digits of a customer’s credit card number must be stored locally on the phone so that businesses can track transactions. The digital display is specifically allowed by the PCI Security Standards Council, a group that sets technical standards for data security where large-scale payment providers like credit card companies are involved. When the WSJ questioned Square regarding the necessity of storing digital signatures, the app maker would not comment.

Foursquare, Netflix and LinkedIn all admit to being aware of the security issue. As of June 7, Foursquare pushed an app update to Android users. Netflix hasn’t specified a date, but told the WSJ that updating the app is a priority. LinkedIn is currently working the Google’s Android team to determine the best course of action, according to company spokeswoman Julie Inouye.

McAfee on mobile app security



Wall Street Journal:

Post By bryanh (1,420 Posts)


Do you have a fantastic idea related to this article, but just don't have the money you need to start your own company or side-business? Get the loans you need from to help get your new company underway, from the small loan professionals at PersonalMoneyNetwork.

PG&E to pay $70 million for pipeline tragedy

PG&E to pay $70 million for pipeline tragedy

Pacific Gas and Electric Co., a northern California utility, has agreed to pay $70 million to the California town of San Bruno for a pipeline explosion that killed eight people in 2010. Company says it’s remorseful The San Francisco-based power company’s president, Chris Johns, released a statement Monday, saying PG&E is sorry and eager to […]

Judge stabbed and deputy shot in Washington courthouse

Grays Harbor County Courthouse

Following a standoff in a Washington state county courtroom Friday, a man reportedly escaped after shooting a sheriff’s deputy in the shoulder and stabbing a judge in the neck. The man is still at large. Treachery among the tree farms The incident occurred Friday afternoon in the western Washington town of Montesano, which bills itself […]

Microraptor was one flashy little dinosaur

Microraptor fossil

A team of Chinese and American scientists have found that Microraptor, a small four winged dinosaur that went extinct about 130 million years ago, was likely black and almost certainly had glossy, iridescent feathers. Until now, the coloring of extinct creatures was a matter of pure speculation. That may no longer be the case. The […]

Autocorrected message leads to school lockdown

Homage to the Sun

Adjacent schools in Georgia were locked down for two hours Wednesday after a text message reportedly warned of a “gunman” on campus. Later, it was learned that the message was the result of a smartphone autocorrect function, attempting to “fix” the misspelled slang word “gunna.” A series of mixups A series of mixups led to […]