Cyberthieves Can Score a Data Touchdown with Unencrypted Apps

With the Superbowl just behind us, the NFL has been getting it’s usual burst of publicity, but not all of it has been good. This time, it wasn’t the players who got into trouble – it was the NFL’s official app.

Ohad Babrov is co-founder and CTO at <a href=

Lacoon Mobile Security.” width=”115″ height=”75″ /> Ohad Bobrov is co-founder and CTO at Lacoon Mobile Security.

Until an urgent fix was made available just after the app’s release, NFL’s official app for iOS and Android placed users at risk by leaking their usernames, passwords, and e-mail addresses in plain text to anyone who may be monitoring the traffic.

The problem, sources say, was a lack of encryption in an API the app used to communicate with servers. Many of the biggest mobile security problems in both enterprise and personal environments come down to one issue – encryption. Encryption, or rather, the lack of it, is something that has to be addressed at much more than one level. App developers, operating systems and mobile devices all have to do their part to ensure user data isn’t being exposed. And because so many users repurpose passwords and login details, a lack of app encryption means the spillover can be much more serious that the original leak.

Sadly, you don’t have to look back far to find examples how each responsible party has failed users by allowing private and sensitive user data to be transferred using insecure connections. More often than not, apps allow user data to be used by and sent to third parties — most of which usually have nothing to do with the app itself, for example, advertising.

Let’s take a look at some examples that highlight exactly when and where users need to be most careful about how their data is being protected:

The Official NFL app

Researchers discovered that after users securely sign-in to the app with their account, the app leaked their username and password in a secondary, insecure (unencrypted) API call. Whatsmore, the app also leaked the user’s username and e-mail address in an unencrypted cookie immediately following login and on subsequent calls by the app to domains.

The NFL has since fixed the issue, but for a period of time millions of users were put at risk. With so many users still unaware of the dangers of cybercrime, usernames and passwords are often used for multiple services. This means that a leak of data from the NFL app could give attackers access to email, bank accounts and more.

Multiple Dating apps are failing to protect user data

In 2014, an investigation of over a dozen dating apps for iOS and Android showed that 90 percent failed to implement proper encryption when transmitting sensitive information, including purchasing information. Another recurring issue with dating apps is their use of location data. Although this is undoubtedly an integral part of how they work, too many apps have enabled location data to be accessed and extracted which could place users in danger.

With the dating apps, three encryption issues should be noted:

  • Unencrypted user data could be stored on the device.
  • These apps may be transmitting unencrypted data over the internet.
  • The location data these apps collect may be far too accessible.

The Starbucks app for iOS – unprotected passwords saved on the device:

While this is a problem Starbucks has already fixed, it highlights an issue that still exists in many less popular apps. Before research was published, the Starbucks app, the most-used mobile-payment app in the U.S., had been storing usernames, email addresses and passwords in clear text.

This meant, that anyone with access to the phone could access passwords and usernames by connecting the phone to a PC. This was a great example of convenience trumping security since Starbucks elected to save users the trouble of entering their passwords before each purchase by saving the passwords on the device.–starbucks-caught-storing-mobile-passwords-in-clear-text.html

Masque Attack

Much was discussed regarding how enterprise provisioning could be abused by malicious apps exploiting Masque Attack and Wirelurker, but once a malicious app had actually made it’s way onto an iOS device, encryption was again part of the problem. Researchers discovered that some of the most popular iOS apps do not employ data encryption for their databases. Worryingly, many of these are messaging/communication apps, meaning that they store sensitive information like names and contact details as well as private conversations.

There are three main takeaways from these examples:

  1. Cybercriminals don’t always have to trick you into putting malware on your phone. Sometimes they could just expose vulnerabilities you put there yourself unintentionally. When we install apps from trusted sources, we believe they’re designed in a way that keeps our information safe. However, flaws exist in the code, or there may be gaps in security best practices that leave us exposed. In the case of the NFL app, a skilled hacker could have used this information to phish for high-value, sensitive information like financial records or even enterprise data.
  2. We often trust blindly the networks to which we connect our devices. For example, when at a coffee shop, how would most users tell the difference between “Starbucks Free WiFi” and “Free Starbucks WiFi” hotspots? Or at an airport, with so many public networks available, which one is official and which ones aren’t? Attaching your mobile devices to these networks could easily expose the date you’re sending and receiving to cybercriminals.
  3. The best defense against these issues is a good offense: Reinforce established best practices. Only install apps from trusted sources, and be sure to update apps as soon as an update becomes available. These often include unseen updates that make apps perform better and more safely. When connecting to a public network, take the time to find which ones can be trusted by asking questions. Shopping centers, airports, and even coffee shops usually have personnel available who can help you find the right one.