October 23, 2014

Popular Android Apps Pose Security Risks for Users.

As the Android platform continues to grow explosively, worries about security in the ecosystem continue to grow as well.  Today there is a new security concern with three of the top apps on Android devices; Linked In, Foursquare and Netflix.  Read on to find out how you might be exposed.

The Wall Street Journal is reporting this morning that the aforementioned applications actually store user and password information un-encrypted on the users device. A quote from the article goes into more detail:

The Android applications of LinkedIn, Netflix and Foursquare stored user names and passwords in unencrypted form on their Google-powered devices.

Storing that data in plain text violates a commonly accepted best practice in computer security. Since many people tend to use the same usernames and passwords across any number of sites, the failing could help hackers penetrate other accounts.

The article goes on to say:

A hacker would need skill and luck to exploit the vulnerabilities –- either via physical access to a person’s phone or through malicious software that is installed on the device — scenarios that could open bigger security risks than those created by the password problem alone.

What is interesting is that all three of these companies have the capability to store passwords and user info on their own secure servers, using a query to authenticate a person trying to login. Why these apps store info on the device, especially without some sort of encryption is simply a case of poor practice. Granted, a hacker would need to have physical access to your device, or install some sort of kit to have access to your device remotely, but the fact that the possibility exists is troubling.

Netflix and Foursquare both stated in the WSJ article that they are pushing updates to correct the issue, Linked In has said that they are in line with standards and are “looking into it with the Android team”. Until the issue is corrected, perhaps you do not want to use the same password you use say, for your internet banking. More info as it comes in.