Talk of popular mobile apps on the Android or iOS operating systems and you have Instagram, Facebook, or OkCupid topping the list, among others. While these apps are currently in use by billions of users worldwide, a security research findings show that a lot of famous apps on the Android ecosystem have poor basic security and privacy practices.
The University of New Haven’s Cyber Forensics Research and Education Group has detected vulnerabilities in Instagram, Grindr and OkCupid, to mention a few, based on assessments that sought to validate the apps’ compliance with basic precautions to secure sensitive information of users and practices to keep those users private online.
The same team also conducted security analysis of many mobile apps in the past, but only to a limited number of apps. This time the group worked to broaden the scope of their research and set about identifying flaws and weaknesses in many top-billed apps in Google’s operating system. The vulnerabilities unearthed by the team could affect more than one billion users, which corresponds to the number of Instagram users.
UNHcFREG’s Director Ibrahim Baggili described the way the apps are developed as “sloppy” in reference to how data are handled when the apps exchange data on certain functions. To find out, the team analyzed the traffic using the Wireshark and NetworkMiner tools to see how data are transmitted. In the case of Instagram, photos uploaded by users are found to be in storage on Instagram’s servers without encryption system in place, which means it can be accessed by third-party entities even without authenticating themselves.
Other apps that were found to be liable with the same security lapses include TextPlus, MessageMe, OoVoo, HeyWire, Tango and Grindr. Considering that these apps are among the favorites in Android, having topped their respective categories in terms of the number of times they were downloaded, shows how far-reaching the security implication could be.
Recipients receive their content in plain HTTP protocol, meaning it is not secured. When this URL is accidentally found in the hands of others, they can easily view the link and the content, which could put the privacy of users in danger.
The research team recommends that those apps remove the images from their servers or at the very least implement a sort of validation process for those who might want to view the contents. But that has never been the case.
Some messages were found to be unencrypted, as in the case with OoVoo and MeetMe.
All these security vulnerabilities make the data exposed to hackers in public wireless networks, in what is known today as man-in-the-middle attack.
