You, like many Internet users, probably use your Facebook, Google, Twitter, or Microsoft account to log in to a wide variety of apps and websites using what’s called a social login. Social logins enable you to use your existing login information from a social network or service to gain access to a third-party app instead of creating (and having to keep track of) a new account specifically for the new app or website. Social logins offer the benefit of speed and convenience. But if the services where you use them don’t protect your login information, they can make your information easy for hackers to steal.
AppBugs, the firm behind technology that scans Android apps for security vulnerabilities, recently posted on its blog that there are mobile apps that combine to account for more than 80 million downloads that don’t properly handle users’ information, and therefore expose users’ accounts and data. If you use your credentials for Facebook, Google, Twitter, Microsoft, or a number of other services to log in to any of the following apps, your information is being exposed:
- Astro File Manager with Cloud
- Windows Live Hotmail Push Mail
- Brother iPrint & Scan
- Software Data Cable
- FriendCaster Chat
- PrintHand Mobile Print
- Phone for Google Voice & GTalk
- FoxIt MobilePDF
- WonderShare PowerCam
- ES File Explorer File Manager
As noted on a separate AppBugs page on social plugin vulnerabilities, apps that aren’t able to correctly verify the SSL certificates that are sent from web servers enable “a man-in-the-middle attacker is able to use a fraudulent certificate to decrypt the traffic to obtain sensitive data such as username and password without being detected.”
The vulnerable apps that AppBugs lists all support social logins with accounts from Facebook, Google, and others, which means that your credentials for those major services can be compromised. User accounts affected by social logins in one or more of the vulnerable apps include: Baidu, Box, Douban, Dropbox, Evernote, Facebook, Google, Instagram, Microsoft, Renren, Sina, SugarSync, Tencent, and Twitter.
To get around the vulnerability, AppBugs recommends that users create accounts directly with the mobile apps, and choose a unique username and password for these services. The firm also advises that there are likely other mobile apps that can leak your Facebook, Google, Twitter, or Microsoft account credentials. So it recommends downloading the AppBugs app, which will detect the apps on your device that can be easily hacked.
As Dylan Tweney at VentureBeat notes, because the apps’ security problems stem from the way they handle SSL certificates, the flaws make it possible for an attacker to use a forged SSL certificate, and enables the hacker’s own server to receive the user’s login credentials. Rui Wang of AppBugs told Tweney that there is no single cause of the vulnerabilities in the apps.
“The vulnerable apps may be using a social library which is vulnerable, or they may put some vulnerable code by themselves due to whatever reason,” Wang told VentureBeat. “Sometimes it could be that the developers changed the library by themselves and introduced the bug.” AppBugs says that it contacted the developers behind each of the insecure apps between one and four months ago, but so far has received almost no responses.
In addition to failing to respond to AppBugs, most developers have also failed to remedy the vulnerability. “Until now, only 1 developer (Foxit MobilePDF) fixed the issue,” Wang said. “So it is really concerning that those developers do not act to protect the important user accounts.” Security experts say that it’s not uncommon for apps to transmit usernames and passwords in plain text. Additionally, many app developers aren’t sophisticated about security techniques, and, unfortunately, can often accidentally introduce vulnerabilities into their own code.
Jack Urban, a senior security researcher at Lookout, told VentureBeat that one problem stems from the way that pre-Honeycomb versions of Android implemented a component called WebView, which loads web pages within an app. “Prior to Android API 11 (Honeycomb),” Urban explained, “WebViews do not have a way to validate the authenticity of the secure connection using SSL client certificates, making a man in the middle attack possible without the user or the app knowing it.”
In later versions of Android, “developers can work around this issue by implementing their own client certificate validation techniques when using WebViews,” Urban said. But as Tweney notes, that requires developers to understand how client certificate validation works — a complex topic that not all developers with apps in the Play Store are able to sufficiently address.