Researchers find data leaks in Instagram, Grindr, OoVoo and more

By sniffing out the details of network communications, University of New Haven researchers have uncovered a host of data-leakage problems in Instagram, Vine, Nimbuzz, OoVoo, Voxer and several other Android apps.

The problems include storing images and videos in unencrypted form on Web sites, storing chat logs in plaintext on the device, sending passwords in plaintext, and in the case of TextPlus, storing screenshots of app usage that the user didn't take. Researchers are detailing the findings over five days in videos posted on the university's Cyber Forensics Research and Education Group's YouTube channel, starting Monday.

"Security is an afterthought," said Ibrahim Baggili, director of the university's Cyber Forensics Research and Education Group and editor in chief of the Journal of Digital Forensics, Security, and Law. People may assume that sending messages, pictures and location maps to friends using the same app is private, but it's not, he said.

Some of the problems are similar to privacy problems in the Viber text-messaging app that the group detailed earlier this year. There, the service stored image files unencrypted on a publicly available Web server. That's exactly what's happening now with Facebook's Instagram, OoVoo, Grindr, HeyWire and TextPlus, the researchers found. Here are the other problems identified:

• Tango and MessageMe left videos on a server, also unencrypted. TextMe and Nimbuzz stored passwords in plaintext on the device.
• Apps that sent text, images, location maps, music and video unencrypted over the network were Instagram, OKCupid, OoVoo, Tango, Kik, Nimbuzz, MeetMe, MessageMe, TextMe, Grindr, HeyWire, Hike and TextPlus. (Not all of them sent all forms unencrypted.)
• Several apps also stored chat logs unencrypted on the device. That includes Twitter's Vine, TextPlus, Nimbuzz, TextMe, MeetMe, SayHi, Kik, OoVoo, HeyWire, Hike, MyChat, WeChat, GroupMe, Whisper, Line, Voxer and Zynga's Words with Friends.

All in all, the researchers estimate 968 million people total use the apps.

With private messaging features, naturally, "your expectation for privacy is heightened. You're not tweeting it to everyone around you," he said, but the data often isn't actually protected. In the current climate of government snooping and identity theft, that could be a problem financially or personally.

The researchers found the unencrypted data by monitoring the devices' network traffic, seeing words they'd type into the apps appear in plaintext over the network, and by examining files captured with in device backup software. The organization hasn't analyzed apps running on iOS, Apple's mobile operating system.

CNET contacted the companies for comment and will update this story with their responses.

Instagram said it's moving to encrypted communications for its images by moving to HTTPS, the secure version of the standard used to transfer Web data over the Internet.

"We're doing the technical work that's necessary to add HTTPS protection across the remaining parts of the Instagram app, while still ensuring stability and performance," the company said in a statement. "We'll keep the Instagram community updated on our progress."

Kik said it has moved to encrypted transfer for sketches, but that encryption of chat logs isn't necessary. "Message data is stored in an unencrypted format because the operating systems (both iOS and Android) provide data isolation that prevents apps from having their storage read by other apps. This is considered standard in the industry, and is completely safe," the company said.

Grindr said only, "We monitor and review all reports of security issues regularly. As such, we continue to evaluate and make ongoing changes as necessary to protect our users."

Updated at 5:53 a.m. PT September 10 with Instagram and Kik comments.