Certain iOS apps send passwords in plaintext: Bitdefender

Vendor reveals security flaws in several popular apps on the Apple App Store

Your online passwords are your identity, but how would you feel knowing that they may be transmitted over the network in a plain text file?

This may be happening to you, according to Bitdefender, and it could be tracked back to some of the apps that you may be using on your smartphone.

The security vendor recently analysed some of the top free apps available on the Apple App Store to see how they handle credentials, only to find out that some of them are not doing it wisely.

Bitdefender chief security researcher, Catalin Cosoi, refers to Wi-Fi Finder By JiWire Inc. as an example.

The app, which has over 65,000 three-and-a-half customer-rated stars, enables users to find free or paid Wi-Fi networks, but also broadcasts passwords in plaintext.

“It does not seem to encrypt any broadcasted passwords, making it easy for someone with minimum spoofing knowledge to peek at them,” Cosoi said. Another is Texthog, an app that enables users to keep track of their expenses and personal finances on their iPhone.

“Auto syncing with your texthog.com account could be risky if you’re doing it over a Wi-Fi network while somebody is monitoring your traffic,” Cosoi said.

Developer dues

iWrecked by Vurgood Applications, which helps users puts together a PDF file with auto accident images to be sent directly to the insurance company, was found by Bitdefender to also broadcast passwords in plaintext.

“This is an iOS app that’s recommended by the New York Times, Consumer Reports, Road & Track, Edmunds, CNet and more,” Cosoi said.

With cases like these, Cosoi feels that there are a number of steps that iOS app developers should take when handling sensitive user data, such as passwords, contact names and phone numbers.

“The risks of having such data compromised cannot be disregarded, so iOS privacy should not be taken lightly,” he said.

Bitdefender also found apps such as Melodis Voice Dialer By SoundHound handles contact names with poor encryption, and Aloha: Hang with friends! By VodkaCran and OLJ by L'Orient-Le Jour are just as unreliable with phone numbers and contact names are also handled insecurely by both apps, possibly making them unreliable. Makers of those apps could not be immediately reached for comment.

Comments

Comments are now closed

NBN Co launches stop-gap satellite service

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]