August 10, 2011
Mobile Apps Lack Adequate Password Security
A new report by digital forensics and security firm viaForensics finds that 76% of popular consumer applications running on Google Android and Apple iOS devices store usernames as plaintext, while 10% store passwords as plaintext.
The viaForensics researchers tested 100 popular consumer applications using these operating systems, including apps running on iPhone, iPad, and iPod Touch devices.
The assessment revealed that many of these applications store data, including usernames, as plaintext on the devices.
"Many systems require only username and password, so having the username means that 50% of the puzzle is solved," wrote the authors of the report.
"In addition, people often reuse their usernames so it will generally work on many online services."
Perhaps worse, some applications failed to encrypt even more sensitive information, including passwords.
"Sensitive data stored on mobile devices poses a risk to consumers, because devices are frequently lost or transferred, and because malware could potentially grab the data," the report reads.
"Some risks--such as stored passwords or credit card numbers--are clearly greater than others."
Among the applications tested, social networking apps fared the worst, with 74% rating a "fail", indicating that sensitive information, such as passwords or account numbers, was recovered.
"The recovery of the sensitive data places the user at a significant increased risk for identity or financial theft," the report read.
Other apps performed better, such as productivity apps (43% failed), mobile financial apps (25% failed), and retail apps (14% failed).
However, no retail applications actually passed the test, with most receiving a "warn" rating, indicating that that the application's data was present, but not encrypted.
On both operating systems, Hushmail, LinkedIn, Skype, and WordPress were among the individual applications rated the lowest in terms of storing sensitive data securely.
On Android alone, applications that store sensitive data insecurely include Android Mail (for Exchange and Hotmail), Gmail, Netflix, and Yahoo Mail.
For devices running iOS, applications that store sensitive data insecurely include Chase (for banking) and iPhone Mail (Exchange and Gmail), according to the evaluation.
The report also found that many other applications store non-sensitive data in unencrypted format, such as mobile software from Amazon.com, Facebook, and Twitter. However, all of these applications depend at least in part on the underlying operating system to remain adequately secure.
ViaForensics said that, generally speaking, users of iOS devices appear to have better out-of-the-box protection, regardless of how application developers handle data.
"It would be a fair generalization to say that so far, Apple has made more efforts toward data protection in their iOS platform, compared to Android. However, users do still face risks due to malware that can compromise the device, or data recovery from lost/stolen devices," the firm said.
Google released its Android version 3.0, or Honeycomb, earlier this year, which will encrypt the user partition on Android devices. However, it is currently available only for tablet computing devices, not smartphones.
As a result, "if the person who acquires a lost/stolen phone, or a malware program, can gain root access on an Android device, they then have full access to the user partition and its data," viaForensics said in its report.
The firms said the security of an iOS device is, to some degree, a function of its owner.
"If the phone user does not activate data protection by setting a passcode, the files are not fully protected," the firm said.
"Furthermore, various tools exist to uncover the user's passcode with varying degrees of success depending on the strength of passcode used."
On the Net
- The viaForensics report can be viewed here
- The full detailed findings of the evaluation can be viewed here