iTunes App Store, Android Market a ‘Gold Mine’ of Personal Info

If you’re in love with a favorite mobile application, a recent study may cause you to think twice about how intimate that relationship is.

A survey of 100 apps found that many are storing a high percentage of unencrypted personal data, making mobile devices a more attractive target for identity thieves and hackers. Seventy-six percent of account user names for all the apps tested were able to be recovered, along with 31 percent of application data, such as location check-ins, and 10 percent of passwords.

Overall, 39 percent of the apps were given a fail rating by the survey, called “appWatchdog” and conducted over an eight-month period by ViaForensics, a digital forensics and security firm. The rating indicates that a variety of sensitive information, including passwords and personal identification numbers (PINs) used through apps are regularly stored and recoverable from smartphones.

Andrew Hoog, co-founder and chief investigative officer of viaForensics, said that while he understands that getting access to a user name is only going to get hackers part of the way in their efforts, a lot of websites are only protected by a username and password, so getting one-half of that information is a big first step not to be taken lightly.

“We recognize it is not the most significant piece of information, but a user name is an [identifier] you need to access your account,” Hoog maintained, saying that app developers could easily create an app that doesn’t store unencrypted personal data.

“We think the developers should take that precaution, because it’s one less thing they [malicious hackers] know about you,” he added.

Study Methodology

The study looked at apps for use on Android and iPhone devices in four categories: financial, productivity, social networking and retail.

ViaForensics would install an app from the iTunes App Store or Android Market, populate it by using it with data that they would specifically be looking for (user names, passwords and other app data) and then analyze the device, searching the entire file system to see if they could find the information.

A rating system of pass/warn/fail was used to judge the app. If an app passed, that meant that various personal data is either wasn’t present or encrypted. A warn rating means the personal data was discovered but didn’t put the owner at risk, while a fail showed that sensitive data such as account numbers and passwords were recovered from the smartphone.

Some of the public’s most heavily downloaded and used apps fall into the social networking category. Of the 19 app in the four categories tested by ViaForesnics, none passed the company’s user name test. All 19 apps stored a user’s login name in plain text on the device.

In addition, none of the 19 apps passed the “app data” test, with 14 apps receiving a fail grade, indicating that items such as instant message logs and passwords were stored in plain text.

Android apps for LinkedIn and Foursquare and Kik for iPhone and Android all stored a user’s password in plain text. Skype received a fail rating for both Android and iPhone, while Facebook earned a warn grade after testing.

Hoog said that the social networking category was an interesting one, because by default, most people intend to share information with certain people. But he believed users are getting wiser and have discovered that it probably isn’t a good idea to let everything about them be easily accessible, especially if you work for a governmental entity.

“There are a lot of successful attacks against our government agencies and one of the primary ways is getting people to click on malicious links,” Hoog explained. “So once [a cyber-criminal] knows you’re on Facebook, or sees you use Yelp, or you ‘check-in’ a a restaurant, they can use that information for a targeted attack. The success of those attacks is incredibly high.”

In the productivity category of the study, e-mail apps such as Yahoo Mail, K-9 Mail and blogging app WordPress all received failing marks. Fifteen total apps in this category received failing marks (11 of them focused on e-mail), with content being stored on the user’s smartphone.

Hoog said that if someone grabbed a government worker’s smartphone that used various e-mail clients, they could potentially recover that e-mail and find out who someone is working with, what you are working on and get access to sensitive information.

“It is really inexcusable if you ask me, to store somebody’s user name and password in plain text. We see quite a few of these apps that do that on the productivity side,” Hoog said. “They also store e-mails attachments and the [e-mail message] bodies. I think that is a big concern in the government space.”

Steps to Take

Although it may not be the most reasonable precaution, Hoog said the simplest way to make sure sensitive data on your mobile device isn’t recoverable is to simply not store it there. He said that while he’s not suggesting developers have to do that, the realities of how someone uses a personal device should dictate what measures are taken.

“Do I need to see every e-mail that has ever been on my phone, or do I want to see new things as they come in?” Hoog asked rhetorically. “I don’t really need them to be stored on the phone; what I really need is access.”

Hoog mentioned that laptop computers allow more sophisticated security implementations and may be a more viable solution in certain cases. He also added that various mobile software solutions are emerging to add additional security, but he wasn’t fully confident in their effectiveness.

“When we’re asked directly by a government agency whether they can deploy a mobile device in a secure fashion, I think at this point, we’d say that is very, very difficult,” Hoog said.

Google At Odds With Study

Google wasn’t shy in defending itself against ViaForensic’s study. A Google spokesman told Wired.com that the company disputes the claim that data is “insecurely stored on Android devices” and “the data is not accessible by default unless the phone has been rooted to gain full privileges” which Google claims Android “actively protects against.” 

Hoog disagreed.

“The reality of it is that I can get into the device, there are remote exploits that give root privileges on both iOS and Android,” Hoog said. “One of the more recent batches of Android malware actually gets root on the device. It’s done over the network, I don’t need physical access. What happens is, you install this app, it basically installs another payload, gets roots access on the device, and now I can suck the information out and send it over the Internet.

“The other one, if you look at the iOS platform — if you want to jailbreak your iPhone 4, you go to Jailbreakme.com, a remote exploit of an iOS device that escalates root privileges,” Hoog added. “Both of these platforms are susceptible to remote privileges being escalated without physical access to the device. So it actually is a problem.”