Sign In

Communications of the ACM

ACM TechNews

Popular Android Apps Fail Basic Security Tests, Putting Privacy at Risk


View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
Artist's representation of online security.

"What we really find is that app developers are pretty sloppy," says the director of the University of New Haven's Cyber Forensics Research and Education Group.

Credit: News Delights

Many Android applications fail to take basic precautions to protect user data, putting the privacy of upwards of 1 billion people at risk, according to the University of New Haven's Cyber Forensics Research and Education Group (UNHcFREG).

The researchers used traffic analysis tools to examine what data was exchanged when certain actions were performed, which revealed how and where apps were storing and transmitting data. Their study found that Facebook's Instagram application leaves images sitting on its server, unencrypted and accessible without authentication, as did OoVoo, MessageMe, Tango, Grindr, HeyWire, and TextPlus when photos were sent from one user to another.

The services store content with plain "http" links, which were then forwarded to recipients, but there is no authentication to keep someone else from accessing this link. The researchers say the apps should either ensure images are quickly deleted from their servers or restrict access to authenticated users.

The researchers also found that many apps do not encrypt chat logs on the device, which poses a risk if someone loses their device, and many either do not use SSL/TLS or use it insecurely. "What we really find is that app developers are pretty sloppy," says UNHcFREG director Ibrahim Baggili.

From IDG News Service
View Full Article

 

Abstracts Copyright © 2014 Information Inc., Bethesda, Maryland, USA


 

No entries found