Countless consumers today rely upon the convenience and entertainment of mobile apps. There has been an unspoken assurance that personal data is safe, but as Chicago-based computer security firm viaForensics suggests, maybe we should have received that promise in writing. According to a new study by the company, top app makers such as LinkedIn, Netflix, Foursquare and Square store sensitive user data unencrypted in plain text files on mobile devices. Such files can easily be accessed by unscrupulous hackers, conceivably facilitating identity theft.
LinkedIn, Netflix, Foursquare and Square security holes detected
On Android-powered devices, LinkedIn, Netflix and Foursquare store usernames and passwords in unencrypted format, reports the Wall Street Journal. Emails sent by the apps in question are also visible, including those relating to the user’s Netflix movie queue. The iPhone version of Square’s mobile payments app was also found to expose transaction amount history the most recent digital signature of a person who signed a receipt in-app.
This violates the commonly accepted best practices of the computer security industry. As many people use the same username and password across a wide range of sites – from banking and social networking to shopping and more – the danger malicious hackers and identity thieves could pose is obvious. A thief with physical access to a user’s phone or malicious software installed on the device could exploit the security hole.
“Data should not be stored on a phone,” said Andrew Hoog, chief investigative officer of viaForensics. At the very least, Hoog believes sensitive data should be encrypted.
Security not top priority
App makers are looking to get their products ready and out the door so they can derive profit from the highly competitive mobile app market as soon as possible. Hoog suggests that data security, while considered, is not priority one.
Many app makers consider the storage of some sensitive data to be necessary. According to Square, username and the last four digits of a customer’s credit card number must be stored locally on the phone so that businesses can track transactions. The digital display is specifically allowed by the PCI Security Standards Council, a group that sets technical standards for data security where large-scale payment providers like credit card companies are involved. When the WSJ questioned Square regarding the necessity of storing digital signatures, the app maker would not comment.
Foursquare, Netflix and LinkedIn all admit to being aware of the security issue. As of June 7, Foursquare pushed an app update to Android users. Netflix hasn’t specified a date, but told the WSJ that updating the app is a priority. LinkedIn is currently working the Google’s Android team to determine the best course of action, according to company spokeswoman Julie Inouye.
McAfee on mobile app security
Wall Street Journal: http://blogs.wsj.com/digits/2011/06/08/some-top-apps-put-data-at-risk/
Do you have a fantastic idea related to this article, but just don't have the money you need to start your own company or side-business? Get the loans you need from https://personalmoneynetwork.com to help get your new company underway, from the small loan professionals at PersonalMoneyNetwork.