Computer security firm viaForensics recently found that top apps for Android and iPhone devices may leave customer data exposed to hackers.
A probe into the security of certain popular apps, such as Foursquare, Netflix, and LinkedIn, revealed that the software often stores sensitive user data in unencrypted, readable files on mobile devices.
"The Android applications of LinkedIn, Netflix and Foursquare stored user names and passwords in unencrypted form on their Google-powered devices," noted the Wall Street Journal. "Storing that data in plain text violates a commonly accepted best practice in computer security."
On June 6, viaForensics issued less-than-thrilling security grades for the Netflix app for Android, which flat-out failed to store users' passwords securely. The app also received middling marks for protecting usernames. On the other hand, the iPhone version of this app passed both username and password storage test, though it received a "warning" for its storage of additional app data, which may include the user's e-mail, phone number or address.
"Because people often reuse their usernames or passwords across different accounts, an attacker can potentially access many of your sensitive online accounts simply by obtaining access to only one of them," viaForensics cautions on its appWatchdog FAQ page
More troubling was the report for mobile payment app Square, which processes a transaction after the user has swiped his credit card through a dongle that attaches to his phone. According to tests run by viaForensics, iPhone version of this app safely stores passwords but fails to securely store app data. Disturbingly, the app received "warning" marks for its storage of credit card numbers and user names.
Square's Android app is apparently more secure, according to viaForensics, receiving passing marks for credit card and password storage. However, the app still received warnings for its username and app data storage.
YouTube's app for both iPhone and Android passed the safe password test. However, these app received middling scores for safely storing usernames and additional app data on mobile devices.
ViaForensics Chief Investigating Officer Andrew Hoog told the Wall Street Journal that "data should not be stored on a phone,” especially when that data is unencrypted.
In February, viaForensics tested top banking apps for security weaknesses and discovered that Bank of America, J.P. Morgan Chase and other banking apps were storing unencrypted customer data like usernames, passwords, and transaction data on users' handsets. What's more, Hoog told American Banker, the tests performed were only "about 10 percent of what we would do in a full-blown security audit." A full-scale test may have revealed a plethora of troubling security holes, said Hoog.
Though viaForensics helped the banks improve their apps' security, Hoog claims that app developers still don't emphasize security like they should.
"Security is not a priority of app developers," Hoog said, noting that speed seemed to take precedence over security precautions.