Smartphones store sensitive personal user information while offering minimal security features.
An uncomfortably large percentage of mobile applications are storing sensitive user account information unencrypted on owners’ smartphones, according to a new survey of 100 consumer smartphone apps.
Some 76 percent of the apps tested stored cleartext usernames on the devices, and 10 percent of the tested applications, including popular apps LinkedIn and Netflix, were found storing passwords on the phone in cleartext.
Conducted by digital security firm ViaForensics, the testing occurred over a period of over eight months and spanned multiple categories, ranging from social networking applications to mobile banking software. The firm tested apps only for iOS and Android, the market’s leading mobile platforms.
“If I get my hands on someone’s lost phone, it could take me ten minutes to find an account username and password,” said Ted Eull, techology services vice president at ViaForensics, in an interview.
ViaForensics sells mobile security tools and services to corporations, attorneys and government agencies.
User names ranked highest on the list of discoverable data. App data — the term ViaForensics uses for private information exchanged using the applications — came in second place, with such data recovered from 69 percent of tested apps.
Mint.com’s iPhone and Android apps — which are used for maintaining financial account information — were found to store user transaction history and balance information on the phone. The Android version of the Mint app stores the user’s PIN on the phone unencrypted, ViaForensics found.
With two lucrative emerging mobile platforms, early traction is crucial for app developers competing for space. Apple’s App Store menu is closing in on a half-million applications available for download; add the Android Market to that, and you’ve got another 250,000 titles. App developer teams aren’t always focused on security first, especially when some of them consist of a handful of engineers.
“The main thing lacking in mobile development is approaching the platform with the understanding that these are essentially small computers,” Eull said. “Computers that are easily lost, and can travel through countless hands afterwards.”
Though as Ivan Sze noted in an Android forum post, a lock screen PIN isn’t the end-all be-all for a dedicated data thief: “Lock screen password entries aren’t designed to be formidable security barriers — it’s just to make it inconvenient for regular people.”
“It is entirely possible to develop secure mobile apps,” said Andrew Hoog, chief investigative officer at ViaForensics. “But it takes the time, energy and resources to do it.”
http://www.wired.com/threatlevel/2011/08/smartphone-local-data-storage/