How Your Apps May Be Exposing Your Private Data
Are the mobile apps that we use to send photos and text messages to your friends as safe as we’d all like to think they are? The latest — but when you think about it, pretty unsurprising — answer? Probably not. According to research published by the University of New Haven Cyber Forensics Research & Education Group (cFREG), popular Android and iOS apps used by 968 million smartphone users are susceptible to a wide variety of serious security issues, privacy breaches, and other vulnerabilities, many caused by a lack of basic encryption and authentication to protect information when it’s transmitted or stored.
The cFREG says that it will disclose the security issues it found in more than a dozen apps in a series of videos over a period of five days, beginning with one posted on Sunday. (The rest will be available on the group’s blog and YouTube channel.) Throughout the week, the group will reveal security problems and identify the apps that they affect. The security issues “include passwords available in plain text and private information stored on company servers.” Ibrahim “Abe” Baggili, assistant professor of computer science and head of the cFREG, notes:
“Anyone who has used or continues to use the tested applications are at risk of confidential breaches involving a variety of data, including their passwords in some instances. Although all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue.”
User locations, passwords, chat logs, images, videos, audio, and sketches can all potentially be viewed by someone exploiting the vulnerabilities found in more than a dozen apps, including social media, chatting, and dating apps. The cFREG team has tried to notify the companies behind each of the apps, but many only provide a web contact form for support without a direct way to reach the developers or the security team.
Baggili explains that, “We had no choice but to use the support contact forms available on their websites, and most companies did not even respond. This exacerbates the problem — and it shows that mobile developers are still not taking security seriously.” The first video says that the vulnerabilities are being shared publicly to inform both the user and the developer of the security issues. Last spring, the cFREG publicized vulnerabilities in WhatsApp and Viber, drawing attention worldwide, and both companies fixed their apps’ security issues.
For the test, researchers at the University of New Haven created a test network using Windows 7′s Virtual Miniport Adapter, and connected an HTC One (M8) Android phone to the network. The test also used an iPad 2 connected outside of the network to exchange data with the phone, and tools including the Wireshark, NetworkMiner, and NetWitness Investigator to monitor all traffic sent and received by the Android phone.
The tests described in the first video found vulnerabilities in Instagram, OkCupid, and ooVoo. Instagram, for example, stores photos uploaded by its user base of more than 200 million unencrypted on its servers, without authentication. It also transmits images without encryption. The video notes that developers need to deal with issues of data security and of data privacy — meaning the secure transmission of data and the secure storage of data, respectively. The current versions of many apps make it easy for strangers to tap into the photos and messages that users share via their mobile apps, and that information can be accessed without the user even knowing that his or her privacy has been breached.
VentureBeat learned that cFREG found vulnerabilities in nearly two dozen apps, including Instagram, OkCupid, Words with Friends, Vine, and Line, plus others like ooVoo, Tango, Kik, Nimbuzz, MeetMe, MessageMe, TextMe, Grindr, HeyWire, Hike, textPlus, MyChat, WeChat, GroupMe, Whisper, and Voxer. Baggili told VentureBeat that many apps fail to encrypt data like photos, text messages, and audio. Even passwords are often stored as plain text, messages are transmitted without encryption, and files are stored without protection on company servers.
Baggili said that the developers behind many of these apps “don’t take security seriously.” He also noted that while there is no evidence that any of the vulnerabilities were deliberate, that also can’t be ruled out. The report shifts the focus of conversations on mobile security from the cloud — where it’s been aimed since the ill-timed iCloud hack — to the design of individual apps, and the attention that developers devote to building methods to securely store and transmit information and implementing even the most basic of security measures to ensure that users’ private data stays private. The series of videos released by the cFREG this week is expected to illustrate that the problem of mobile app security is much bigger than most people would like to think.
With nearly a billion users among them, the affected apps could expose millions of users’ information. Hopefully, identifying the unsecured apps and making research on the vulnerabilities public will jump-start the process of developers making their apps more secure, and make consumers more aware of the risks of sharing their personal information via apps that don’t seem obviously unsafe. If developers truly aren’t taking the security and privacy of users’ data seriously, it will be in their best interest to fix the flawed designs of their apps before the vulnerabilities are exploited.
On the University of New Haven’s website, Baggili advocates that consumers who use apps with security issues check for updates daily, and also learn to run security tests on their own. “There really is no way of knowing what these applications are doing unless you test it yourself,” he says.