Wired - An uncomfortably large percentage of mobile applications are storing sensitive user account information unencrypted on owners’ smartphones, according to a new survey of 100 consumer smartphone apps.
Some 76 percent of the apps tested stored cleartext usernames on the devices, and 10 percent of the tested applications, including popular apps LinkedIn and Netflix, were found storing passwords on the phone in cleartext.
Conducted by digital security firm ViaForensics, the testing occurred over a period of over eight months and spanned multiple categories, ranging from social networking applications to mobile banking software. The firm tested apps only for iOS and Android, the market’s leading mobile platforms.
“If I get my hands on someone’s lost phone, it could take me ten minutes to find an account username and password,” said Ted Eull, techology services vice president at ViaForensics, in an interview.
ViaForensics sells mobile security tools and services to corporations, attorneys and government agencies.
User names ranked highest on the list of discoverable data. App data — the term ViaForensics uses for private information exchanged using the applications — came in second place, with such data recovered from 69 percent of tested apps.
Mint.com’s iPhone and Android apps — which are used for maintaining financial account information — were found to store user transaction history and balance information on the phone. The Android version of the Mint app stores the user’s PIN on the phone unencrypted, ViaForensics found.
“We’re already working on ways to make this experience better,” said Jason Yiin, lead mobile engineer at Mint.com, in an interview. “At the moment, if users are highly concerned, they can log in and out of the application each time they access it on their phones.” Yiin also points out that if an intruder accesses your PIN, they won’t be able to manipulate any account information or move assets between accounts. The intruder will, however, be able to see account balance and transaction history information.
In June, based on ViaForensics’ early findings, Netflix promised a security update at a yet to be specified date. But LinkedIn says it is satisfied with the security of its app. “We’re using the standard Android programming practices for storing and managing data,” LinkedIn spokeswoman Krista Canfield told Wired.com. More
