Study: iPhone, Android apps store sensitive user info
A range of mobile apps examined by security firm ViaForensics found a significant number storing user names unencrypted and a smaller number storing passwords the same way.
Mobile apps are still not secure when it comes to storing certain personal information, according to a new study from security firm ViaForensics.
Dissecting a variety of apps for Apple's iOS and Google's Android, ViaForensics found that 76 percent of them store user names in cleartext without encryption, while 10 percent store passwords in the same way, making such data more vulnerable. Running a series of tests from November 2010 through June 2011, the security firm checked out apps from several categories, including financial, social networking, productivity, and retail.
Each individual app received a pass, fail, or warn based on its security, or lack thereof. A pass meant the app securely stores user names, passwords, and application data; a fail meant that passwords and other personal data were not secured, and a warn indicated that certain data wasn't secure but that such data didn't put the user at significant risk.
Overall, 39 of the apps received a failing grade, only 17 got a pass, and 44 escaped with a warning.
Financial apps did fairly well, with 14 out of 32 getting a pass and another 10 receiving a warning. ViaForensics found that more developers have been adding encryption to such apps. Despite concerns that encryption can hamper performance, all of the secured financial apps that were tested ran smoothly.
The few financial apps that failed the test included Mint for both the iPhone and Android, Square for the iPhone, and Wikinvest for the iPhone.
Social network apps didn't fare quite so well, with none of them getting a passing mark and 14 out of 19 failing. None of the apps encrypt user names, and many also neglect to secure passwords and application data. Among them, LinkedIn for Android, Foursquare for Android, and Kik for both the iPhone and Android failed ViaForensics' password test, indicating that user passwords were stored in cleartext.
Productivity apps also scored low, with only 3 out of 35 apps getting a pass. Many of the failing apps stored e-mail content in cleartext, according to the study, and included Gmail, iPhone mail, WordPress, and Yahoo Mail.
Retail apps were a mixed bag. None of them passed the test, but only 2 out of 14 failed, with the rest receiving just a warning. The study highlighted Groupon for Android, which failed because of a recovered password, and an unofficial Starbucks app that stored the user's full credit card number.
Among operating systems, Apple scored a bit better in security than did Android, but iOS users still have cause for concern.
"It would be a fair generalization to say that so far, Apple has made more efforts toward data protection in their iOS platform, compared to Android," the report noted. "However, users do still face risks due to malware that can compromise the device, or data recovery from lost/stolen devices."
What are the actual risks to users as a result of these "insecure" apps?
ViaForensics sees the potential for identify theft or financial loss if a mobile device ends up in the wrong hands. As one example, if a cybercriminal can find even one password together with a host of user names, any user who had the same password for multiple apps could be in trouble. As such, the study points out the importance of keeping both user names and passwords secure. A recentalso showed that sometimes passwords aren't enough to fully secure personal data.
Ain June also found security issues with some of the same apps highlighted in the new study.
We've reached out to both Apple and Google to see if they have any responses to this latest study and will add their comments if they offer any.