Privacy vulnerabilities in dozens of Android applications – Kaspersky Lab official blog

Daily

Gives you the power to protect your family – on PC, Mac, iPhone, iPad & Android

Protects you when you surf, socialise & shop – on PC & Mac, plus Android devices

Safeguards your PC and all the precious things you store on it

Protects you when you surf, socialise & shop – on your Mac

Protects you when you surf and socialise – on your Android phones & tablets

Protects your communications, location, privacy & data – whenever you're online

Free Implements
  • Solutions for:
  • Home Users
    • Products
      • KasperskyTotal Security
      • KasperskyInternet Security
      • KasperskyAnti-Virus
      • KasperskyInternet Security for Mac
      • Kaspersky Internet Security for Android
      • KasperskySecure Connection
      Free Contraptions
      TARGETED SECURITY SOLUTIONS
      Industries

      Dozens of Popular Android Apps Leak Sensitive User Data

      A group of researchers from the University of Fresh Haven’s Cyber Forensics Research and Education Group have uncovered vulnerabilities in several popular Android apps, including Instagram, Vine, OKCupid and more. The bugs could expose the sensitive information of some nine hundred sixty eight million users that have installed the affected applications on their Android mobile devices.

      My colleague, Chris Brook, from Threatpost reported that most of the bugs, which were disclosed by the group of researchers in a series of Youtube movies, result from the storage of unencrypted content on the servers controlling the vulnerable applications.

      “Anyone who has used or proceeds to use the tested applications are at risk of confidential breaches involving a multitude of data, including their passwords in some instances,” says Abe Baggili, assistant professor of computer science at UNH’s Tagliatela College of Engineering, and head of the cFREG.

      Per Threatpost, Instagram Direct's messaging functionality was leaking photos collective inbetween users as well as past pics that were stored in plain-text on Instagram's servers. The researchers were also able to sniff out certain keywords over HTTP, permitting them to view certain information collective inbetween users of the popular online dating service, OKCupid. A movie talk application called ooVoo contained essentially the same vulnerabilities as the Instagram Direct app. Instagram's lack of total encryption is an issue we've covered here at Kaspersky Daily in the past.

      Three other free calling and messengers apps, Tango, Nimbuzz and Kik, had bugs that let the researchers pilfer pics, location points and movies. Nimbuzz was also caught storing user passwords in plain text.

      MeetMe, MessageMe and TextMe all send information in plain, unencrypted text, which could give an attacker the capability to monitor the communications of users running those applications on a local network. Sent and received pictures and collective location points can also be monitored in plain text on those apps. The researchers were also able to view a TextMe database file that stored their login credentials in plain text.

      Grindr, HeyWire, Hike and TextPlus suffered from essentially the same bugs. Attackers using readily available implements, like WireShark, could lightly pilfer messages, pics and collective locations. In addition, pictures sent via Grindr, HeyWire and TextPlus remained on the services' servers in plain text and available with authentication for weeks.

      “Using HeliumBackup, an Android backup extractor, we were able to build up access to the Android back up file for TextPlus,” one researcher said. “When we opened it up, we noticed that there were screen shots of user activities that we did not take. We do not know the purpose of these screenshots or why they are being stored on the device.”

      In their final movie, the researchers looked into what apps stored sensitive data in their app storage. Problematically, TextPlus, Nimbuzz and TextMe all stored login credentials in plain text. In addition to that, those three apps along with MeetMe, SayHi, ooVoo, Kik, Hike, MyChat, WeChat, HeyWire, GroupMe, LINE, Whisper, Vine, Voxer and Words With Friends, all stored talk logs in plain text.

      “Although all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue,” Baggili has said.

      The researchers attempted to notify the developers behind the apps in question but were originally met with formulaic support contact forms and were given no direct way to contact the developers. In an email interview, Abe Baggili said he was unaware if the vendors had immovable any of the bugs that he and his team discovered.

      Glaring #privacy slots caused by lack of #crypto in dozens of popular #Android apps

      We reached out to Instagram for confirmation, but the company has not yet responded to our request for comment.

      It is not clear if the developers of these applications plan to fix the bugs described here.

      That said, CNET reached out to Instagram, Kik and Grindr. Instagram says it is in the process of moving to total encryption on their Android app, which would resolve the problems. Kik said it is working to encrypt sketches collective inbetween users but that it will not encrypt talk logs because those logs are isolated and not accessible inbetween apps on a given phone. They claim that this sort of data storage is the industry standard. Grindr merely said it monitors security reports like these and makes switches as it sees fit.

      Related video:

Leave a Reply

Your email address will not be published. Required fields are marked *