Research Unveils Eight Android & iOS that leaks User’s Sensitive Data


The eight Android and iOS apps fail to adequately protect user data, which transmits sensitive information, such as device details, geolocation, and credentials, over the HTTP protocol instead of HTTPS. 

It leaves the data exposed to potential attacks like data theft, eavesdropping, and man-in-the-middle attacks. Encryption is a fundamental security measure for protecting user data, but it seems that many app developers are implementing it incorrectly.

EHA

Eight Android & iOS Apps

  1. Klara Weather (Android)
  2. Military Dating App – MD Date (iOS)
  3. Sina Finance (Android)
  4. CP Plus Intelli Serve (Android)
  5. Latvijas Pasts (Android)
  6. HaloVPN: Fast Secure VPN Proxy (iOS)
  7. i-Boating: Marine Charts & GPS (iOS)
  8. Texas Storm Chasers (iOS)

Klara Weather and Military Dating apps pose significant security risks due to their unencrypted data transmission, where Klara Weather leaks user geolocation data over HTTP, exposing sensitive privacy information. 

Meanwhile, the Military Dating app sends usernames and passwords unencrypted, making them vulnerable to interception and compromise, which could potentially lead to unauthorized access to personal data, identity theft, or other malicious activities.

Military dating network traffic
Military dating network traffic

The Android apps Sina Finance and CP Plus Intelli Serve pose significant security risks by leaking sensitive device information, including device ID, SDK version, and IMEI, over unencrypted HTTP connections, which exposes users to potential tracking and profiling. 

CP Plus Intelli Serve transmits usernames and passwords in plain text, making them vulnerable to interception and theft. Both apps fail to implement basic security measures, such as HTTPS encryption, to protect user data, leaving users exposed to privacy and security breaches.

CP Plus Intelli Serve code evidence of HTTP URL usage
CP Plus Intelli Serve code evidence of HTTP URL usage

Latvijas Pasts and HaloVPN, popular mobile apps with over 100,000 and 13,300 downloads, respectively, pose significant security risks due to their unencrypted transmission of sensitive user data.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Network traffic analysis and code inspection revealed that Latvijas Pasts leaks user geolocation over HTTP, while HaloVPN exposes device information, including device ID, language, model, name, time zone, and SIM details. 

HaloVPN network traffic
HaloVPN network traffic

The mobile applications i-Boating: Marine Charts & GPS and Texas Storm Chasers are found to be transmitting sensitive user data over unencrypted HTTP connections. 

Specifically, i-Boating sends device information like type and OS version, while Texas Storm Chasers transmits user geolocation, which exposes users to potential security risks, such as eavesdropping and data interception, as malicious actors can easily access their personal information. 

Texas Storm Chasers network traffic
Texas Storm Chasers network traffic

The ongoing issue of unencrypted data transmission in mobile apps is posing significant security risks to users. Developers are urged to prioritize app security by using HTTPS for all network traffic, encrypting sensitive data, conducting regular security audits, and being vigilant about user data protection.

Symantec advises users to safeguard their mobile devices against threats by installing a reputable security app, avoiding app downloads from untrusted sources, maintaining up-to-date software, carefully reviewing app permissions, and regularly backing up crucial data, which can significantly reduce the risk of mobile device compromise.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial



Source link