Top Android Apps Put Data At Risk

According to a recent report from the Wall Street Journal, a company security firm called viaForensics has discovered that apps from a lot of top Internet companies aren’t keeping your data safe either and viaForensics noticed that apps from LinkedIn, Netflix, and Foursquare stored usernames and passwords in unencrypted plain text form on Android devices as well………..


Computer security firm viaForensics has found the applications for top Internet companies LinkedIn Corp., Netflx Inc., Foursquare and Square Inc. stored various forms of users’ personal data in plain text on a mobile device, putting sensitive information at risk to computer criminals. The Android applications of LinkedIn, Netflix and Foursquare stored user names and passwords in unencrypted form on their Google-powered devices. Storing that data in plain text violates a commonly accepted best practice in computer security. Since many people tend to use the same usernames and passwords across any number of sites, the failing could help hackers penetrate other accounts. ViaForensics also found the iPhone version of Square’s mobile payments app exposed a user’s transaction amount history and the most recent digital signature of a person who signed an electronic receipt on the app. A hacker would need skill and luck to exploit the vulnerabilities either via physical access to a person’s phone or through malicious software that is installed on the device scenarios that could open bigger security risks than those created by the password problem alone.


“Data should not be stored on a phone,” said Andrew Hoog, chief investigative officer of viaForensics, which is based in Chicago. If data is stored on a phone, he said, it should be encrypted. Although companies are becoming more aware of security risks on mobile devices, Mr. Hoog said the continuing vulnerabilities suggest security is still getting short shrift as developers race to push out apps in a fiercely competitive market. “Security is not a priority of app developers,” Mr. Hoog said. The apps exposed other types of personal data in plain text on cell phones like emails sent from the app by a LinkedIn member, or the movie queue of a Netflix app user, or search history under Foursquare’s Places tab. Square spokeswoman Katie Baynes said that the company does store some identifying information within the phone, including the user’s name and last four digits of a customer’s credit card number, because it’s a necessary element used by businesses to track transactions. Square added that display of these numbers is explicitly allowed by the standards of the PCI Security Standards Council, a forum that sets technical requirements for data security that was founded by large payment providers such as America Express and Visa Inc. Square declined to comment on the digital signature.


Foursquare said it is aware of the vulnerability and was pushing an update to all Android  users Tuesday, June 7 to secure usernames and passwords. It also said that the search query history is deleted when the user uninstalls the application or clears data from the application settings page through the phone’s settings. A Netflix spokesman said the company was aware of the vulnerability and is making a change in the app that will also secure the usernames and passwords. Netflix wouldn’t specify a date for the change but the company said it is a priority. LinkedIn spokeswoman Julie Inouye said that the company is aware of the issue and looking into it with Google’s Android team. “We’re using the standard Android programming practices for storing and managing data,” Ms. Inouye said. A Google spokesman said the company encourages developers to follow a number of security guidelines in developing their Android apps. A company blog post says that developers are ultimately responsible for how they handle users’ information and recommends that developers should not log user specific information. The spokesman also said it encourages developers to follow the current best practice in the security field, which is to not store passwords in plain text on a device.



 [ttjad keyword=”android-device”]

Leave a Reply