Popular Android Apps Fail Basic Security Tests, Putting Privacy at Risk
IDG News Service (09/08/14) Jeremy Kirk
Many Android applications fail to take basic precautions to protect user data, putting the privacy of upwards of 1 billion people at risk, according to the University of New Haven's Cyber Forensics Research and Education Group (UNHcFREG). The researchers used traffic analysis tools to examine what data was exchanged when certain actions were performed, which revealed how and where apps were storing and transmitting data. Their study found that Facebook's Instagram application leaves images sitting on its server, unencrypted and accessible without authentication, as did OoVoo, MessageMe, Tango, Grindr, HeyWire, and TextPlus when photos were sent from one user to another. The services store content with plain "http" links, which were then forwarded to recipients, but there is no authentication to keep someone else from accessing this link. The researchers say the apps should either ensure images are quickly deleted from their servers or restrict access to authenticated users. The researchers also found that many apps do not encrypt chat logs on the device, which poses a risk if someone loses their device, and many either do not use SSL/TLS or use it insecurely. "What we really find is that app developers are pretty sloppy," says UNHcFREG director Ibrahim Baggili.
Many Android applications fail to take basic precautions to protect user data, putting the privacy of upwards of 1 billion people at risk, according to the University of New Haven's Cyber Forensics Research and Education Group (UNHcFREG). The researchers used traffic analysis tools to examine what data was exchanged when certain actions were performed, which revealed how and where apps were storing and transmitting data. Their study found that Facebook's Instagram application leaves images sitting on its server, unencrypted and accessible without authentication, as did OoVoo, MessageMe, Tango, Grindr, HeyWire, and TextPlus when photos were sent from one user to another. The services store content with plain "http" links, which were then forwarded to recipients, but there is no authentication to keep someone else from accessing this link. The researchers say the apps should either ensure images are quickly deleted from their servers or restrict access to authenticated users. The researchers also found that many apps do not encrypt chat logs on the device, which poses a risk if someone loses their device, and many either do not use SSL/TLS or use it insecurely. "What we really find is that app developers are pretty sloppy," says UNHcFREG director Ibrahim Baggili.
No comments:
Post a Comment