Beware of iOS Apps that Send Plaintext Passwords
Passwords are the last, and sometimes only, line of defense against online criminals. The average computer users know not to leave their critical passwords lying around for all to see.
Some iOS app developers, however, are apparently less careful when handling users’ vital information. Bitdefender Labs analyzed some highly-rated free iOS apps starting from the premise that they should handle credentials wisely, only to find out that some of them don’t.
With 65,427 three-and-a-half customer-rated stars at the time of writing, Wi-Fi Finder By JiWire Inc. was found to broadcast passwords in plaintext. The app, which enables users to find free or paid Wi-Fi networks, does not seem to encrypt any broadcasted passwords, making it easy for someone with minimum spoofing knowledge to peek at them.
An iOS app that offers “to keep track of your expenses and personal finances on the go” also sends plaintext passwords. Texthog has more than 1,526 customer-rated stars, suggesting that it’s quite popular. Auto sync with your texthog.com account could be risky if you’re doing it over a Wi-Fi network while somebody is monitoring your traffic.
An iOS app that’s “recommended by the New York Times, Consumer Reports, Road & Track, Edmunds, CNet and more” is an auto accident assistant that helps users compile a neatly organized PDF file with accident images that can be sent straight to the insurance company. iWrecked by Vurgood Applications was analyzed by Bitdefender Labs – it, too, broadcasts passwords in plaintext.
Not only passwords are at risk from poor encryption methods, as contact names and phone numbers are also used either in clear text or in MD5 format. Using MD5 encryption, although secure, still raises concerns as quite a few MD5 online deciphers are available that could break the encryption and read the encoded password.
Glitter Draw Free by Indigo Penguin Limited is yet another example of how UDIDs get collected without users’ knowledge. The developer has 77 apps in Apple’s App store, some of which also collect users’ unique device identifier. Tic Tac Glow, Squeak My Voice, Free Sound Effects, Walkie Talkie Standard and others covertly collect and upload your UDID on a remote server.
With over 9,994 Customer Ratings, Melodis Voice Dialer By SoundHound is one of the apps that handles contact names with poor encryption. Aloha: Hang with friends! By VodkaCran, Inc. is also a highly appreciated app, enabling users to receive notifications whenever a friend is nearby. Phone numbers and contact names are also handled insecurely by both apps, possibly making them unreliable.
A news-reading app that exhibits the same behavior as those previously mentioned comes highly appreciated by French users. OLJ by L’Orient-Le Jour faces the same security issues when handling phone numbers and contact names. Some of the app’s features include enabling users to stay updated with the latest news while offering full offline availability once everything has been stored locally.
Taking the proper measures to encrypt passwords, contact names and phone numbers are only a few steps iOS app developers need to take when handling such sensitive user data. The risks of having such data compromised cannot be disregarded — iOS privacy should not be taken lightly. Awareness of what apps access and broadcast should be at its highest considering smartphones are used in both our professional and personal lives. As usually, there’s an app for that, powered by Bitdefender: check out the Clueful iOS Security app, available for free, and learn more about how apps treat your privacy.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.
This article is based on the technical information provided courtesy of Bitdefender Labs.