Jun 09 AT 9:29 AM Anthony Domanico 17 Comments

Popular Android apps put your personal data at risk

The Wall Street Journal is reporting that some of the most widely used Android applications are putting users’ personal data at risk, based on research conducted by computer security firm viaForensics.

According to the viaForensics report, Foursquare, Netflix, LinkedIn and Square all store various forms of personal information in plain text form on a mobile device, leaving this data vulnerable should a hacker choose to target these servers.

LinkedIn, Netflix and Foursquare share the same fatal flaw: these applications store both your unencrypted username and password information on your Android device. WSJ points out that, since many individuals use these same logins across a multitude of web services, computer criminals who access this information could potentially do much more damage than just on these services. Imagine if your Foursquare login or password is the same for your online banking.

The good news is that all three companies are aware of the issue and are currently hard at work on locking down your valuable personal information. Foursquare pushed out an update yesterday, while Netflix and LinkedIn should have an update shortly.

Though the affected companies are working on a fix, the fact that these security omissions are happening on the larger, corporate-developed applications has me more than a bit worried. If this could happen to these applications, what’s to stop it from affecting the smaller applications where developers don’t necessarily have the know-how to plug these security holes–or money to hire somebody to plug them?

As always, we want to know what you guys think about this. Sound off in the comments below.

Source: The Wall Street Journal

Anthony loves all things technology, from hardware to apps and games. You can connect with him via Google+ or Twitter by clicking one of the fancy doo-dads above.

    Most Tweeted This Week

  • http://clarklab.net Clark Wimberly

    I first noticed something was afoot when I tried watching an episode of The Office and was immediately checked in to Dunder Mifflin and sent an alert from Toby asking for a recommendation

    • http://www.anthonydomanico.com Anthony Domanico

      Nice try, Clark. You know you did all those things.

  • http://emuneee.com Evan

    This is disappointing. Its just lazy developers. I had an app for Windows Mobile that stored Google account information on the phone and I encrypted every bit of it. Why can’t these large companies take care of their customers data.

    • http://Website snowbdr89

      i agree. All of these android junk developers should be fired or killed. They are responsible for androids downfall and i hate them. Nuff said. Now moving to my well hung boys at the ymca to meet some real lovely men….Im off.

  • http://LAME Mark

    Geez.. it would take any competent developer a few hours of work to do some sort of simple encryption of credentials.

  • http://www.mobile-arena.com mobile phone blog

    soon or later… ope uncle will fix this problemm

  • http://Website Mustin

    Can you elaborate on Square? I don’t use the other 3 but I use Square.

    • http://www.anthonydomanico.com Anthony Domanico

      The Square issue was more iOS related. No idea whether it affects android app or not.

      From WSJ: “ViaForensics also found the iPhone version of Square’s mobile payments app exposed a user’s transaction amount history and the most recent digital signature of a person who signed an electronic receipt on the app.”

  • http://blog.converter42.com David Wollmann

    This is what you get when management are a bunch of penny-pinching Peter Principle douche bags. These people will call you into a meeting to defend an hour spent installing and coding for a proper authentication library, and greet you first thing in the morning with news like “Oh, by the way, our DBAs are under a lot of pressure right now, they won’t be able to make those changes to the password database you asked for. Resubmit your request next month.” They’d rather save a few bucks by outsourcing to some shop on the other side of the planet and pretend everything’s working than face reality: software that doesn’t suck is expensive.

  • http://Website crnkoj

    Not only those, apps, motoblur as a whole stores its password unencrypted on the phone aswell, its a security nightmare…. after all the locked bootloaders and stuff, they have such a security hole gaping to be exploited…

  • http://kenkinder.com/ Ken

    If you’re reusing your FourSquare login for personal banking, you’re already asking for trouble. Remember the Gawker Media break-in a while ago?

    • http://www.anthonydomanico.com Anthony Domanico

      I was referring more to passwords. Many people use 1 or 2 passwords for everything, unfortunately.

  • http://Website Spartacus

    I’m not sure this is as big an issue as WSJ is making it out to be. Unless your phone is rooted, the only way to access those files is from the app. The sandbox security of Android set up different Linux users for each app, which prevents them from accessing other app data (unless it is specifically spaced via the Content Provider mechanism). Only the root user can read all files. So if your phone isn’t rooted (and mine is, of course), Linux and Android prevent the files from being accessed by third-parties.

  • http://Website Daniel

    The sad thing is that this isn’t a new problem, it’s been (or rather, should have been) a concern since notebooks were created. Devs should know by now.

    Encryption isn’t generally a solution, since storing the encrypted data and the encryption key in the same physical medium is the same thing as doing nothing. The correct thing to do is to have the server hand an authentication key that the app can use for future requests in place of the password. Even if others read your phone’s data, this key can be individually revoked (blocking that single app install rather than the whole account), and it’s useless for any other purpose (while passwords are very useful to attack other services).

    An example of an app/service that does this right is Dropbox. It’s actually forbidden by their API terms to store the user’s password, even.

  • http://Website Lulu

    Even though I don’t use any of the apps mentioned in the article, I’m still very disappointed by these companies and their level of responsibility toward their customers.

  • http://punmobile.net punzz

    I am using foursquare and my pass same as my email’s. thx for the info, change nooow

  1. I first noticed something was afoot when I tried watching an episode of The Office and was immediately checked in to Dunder Mifflin and sent an alert from Toby asking for a recommendation

  2. EvanGuest 4 years ago

    This is disappointing. Its just lazy developers. I had an app for Windows Mobile that stored Google account information on the phone and I encrypted every bit of it. Why can’t these large companies take care of their customers data.

    • snowbdr89Guest 4 years ago

      i agree. All of these android junk developers should be fired or killed. They are responsible for androids downfall and i hate them. Nuff said. Now moving to my well hung boys at the ymca to meet some real lovely men….Im off.

  3. MarkGuest 4 years ago

    Geez.. it would take any competent developer a few hours of work to do some sort of simple encryption of credentials.

  4. mobile phone blogGuest 4 years ago

    soon or later… ope uncle will fix this problemm

  5. MustinGuest 4 years ago

    Can you elaborate on Square? I don’t use the other 3 but I use Square.

    • The Square issue was more iOS related. No idea whether it affects android app or not.

      From WSJ: “ViaForensics also found the iPhone version of Square’s mobile payments app exposed a user’s transaction amount history and the most recent digital signature of a person who signed an electronic receipt on the app.”

  6. David WollmannGuest 4 years ago

    This is what you get when management are a bunch of penny-pinching Peter Principle douche bags. These people will call you into a meeting to defend an hour spent installing and coding for a proper authentication library, and greet you first thing in the morning with news like “Oh, by the way, our DBAs are under a lot of pressure right now, they won’t be able to make those changes to the password database you asked for. Resubmit your request next month.” They’d rather save a few bucks by outsourcing to some shop on the other side of the planet and pretend everything’s working than face reality: software that doesn’t suck is expensive.

  7. crnkojGuest 4 years ago

    Not only those, apps, motoblur as a whole stores its password unencrypted on the phone aswell, its a security nightmare…. after all the locked bootloaders and stuff, they have such a security hole gaping to be exploited…

  8. KenGuest 4 years ago

    If you’re reusing your FourSquare login for personal banking, you’re already asking for trouble. Remember the Gawker Media break-in a while ago?

  9. SpartacusGuest 4 years ago

    I’m not sure this is as big an issue as WSJ is making it out to be. Unless your phone is rooted, the only way to access those files is from the app. The sandbox security of Android set up different Linux users for each app, which prevents them from accessing other app data (unless it is specifically spaced via the Content Provider mechanism). Only the root user can read all files. So if your phone isn’t rooted (and mine is, of course), Linux and Android prevent the files from being accessed by third-parties.

  10. DanielGuest 4 years ago

    The sad thing is that this isn’t a new problem, it’s been (or rather, should have been) a concern since notebooks were created. Devs should know by now.

    Encryption isn’t generally a solution, since storing the encrypted data and the encryption key in the same physical medium is the same thing as doing nothing. The correct thing to do is to have the server hand an authentication key that the app can use for future requests in place of the password. Even if others read your phone’s data, this key can be individually revoked (blocking that single app install rather than the whole account), and it’s useless for any other purpose (while passwords are very useful to attack other services).

    An example of an app/service that does this right is Dropbox. It’s actually forbidden by their API terms to store the user’s password, even.

  11. LuluGuest 4 years ago

    Even though I don’t use any of the apps mentioned in the article, I’m still very disappointed by these companies and their level of responsibility toward their customers.

  12. punzzGuest 4 years ago

    I am using foursquare and my pass same as my email’s. thx for the info, change nooow