The eight Android and iOS apps fail to adequately protect user data, which transmits sensitive information, such as device details, geolocation, and credentials, over the HTTP protocol instead of HTTPS.
It exposes the data to potential attacks like data theft, eavesdropping, and man-in-the-middle attacks.
Encryption is a fundamental security measure for protecting user data, but many app developers seem to be implementing it incorrectly.
Klara Weather and Military Dating apps pose significant security risks due to their unencrypted data transmission, where Klara Weather leaks user geolocation data over HTTP, exposing sensitive privacy information.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial
Meanwhile, the Military Dating app sends unencrypted usernames and passwords, making them vulnerable to interception and compromise. This could potentially lead to unauthorized access to personal data, identity theft, or other malicious activities.
The Android apps Sina Finance and CP Plus Intelli Serve pose significant security risks by leaking sensitive device information, including device ID, SDK version, and IMEI, over unencrypted HTTP connections. This exposes users to potential tracking and profiling.
CP Plus Intelli Serve transmits usernames and passwords in plain text, making them vulnerable to interception and theft.
Both apps fail to implement basic security measures, such as HTTPS encryption, to protect user data, exposing users to privacy and security breaches.
Latvijas Pasts and HaloVPN, popular mobile apps with over 100,000 and 13,300 downloads, pose significant security risks due to their unencrypted transmission of sensitive user data.
Network traffic analysis and code inspection revealed that Latvijas Pasts leaks user geolocation over HTTP. At the same time, HaloVPN exposes device information, including device ID, language, model, name, time zone, and SIM details.
The mobile applications i-Boating: Marine Charts & GPS and Texas Storm Chasers are found to be transmitting sensitive user data over unencrypted HTTP connections.
Specifically, i-Boating sends device information like type and OS version. At the same time, Texas Storm Chasers transmits user geolocation, which exposes users to potential security risks, such as eavesdropping and data interception, as malicious actors can easily access their personal information.
The ongoing issue of unencrypted data transmission in mobile apps poses significant security risks to users.
Developers are urged to prioritize app security by using HTTPS for all network traffic, encrypting sensitive data, conducting regular security audits, and being vigilant about user data protection.
Symantec advises users to safeguard their mobile devices against threats by installing a reputable security app, avoiding app downloads from untrusted sources, maintaining up-to-date software, carefully reviewing app permissions, and regularly backing up crucial data.
Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial