Nearly a billion users of almost two dozen popular Android and iOS apps — including Instagram, OkCupid, Words with Friends, Vine, and Line — are jeopardizing their privacy, according to research findings announced today by the University of New Haven.
“A lot of these apps don’t encrypt the data, like pictures, text messages, or audio,” assistant professor of computer science Dr. Abe Baggili told VentureBeat. This means that passwords are sometimes left in plain text, transmissions are sent in the clear, and files are unprotected on company servers.
Other vulnerable apps cited by his Cyber Forensics Research and Education Group include ooVoo, Tango, Kik, Nimbuzz, MeetMe, MessageMe, TextMe, Grindr, HeyWire, Hike, textPlus, MyChat, WeChat, GroupMe, Whisper, and Voxer.
This is the same research group that publicized security issues about the popular WhatsApp and Viber apps in April. The publicity led to fixes in both.
“The take-home message,” Baggili said, “is these developers are sloppy and don’t take security seriously.” There’s no evidence that any of the vulnerabilities are deliberate, he said, but that can’t be ruled out.
The discovered issues, Baggili said, have been reported to the respective companies. But, he noted, “None of these [app] companies have a good way to communicate with them if you have [security] issues” to relay, beyond web forms for support – and few responded to his reports. He also urged Apple and Google “to put some stringent standards on these app developers” for their marketplaces.
Referencing the recent public release of private celebrity photos — possibly from cloud-based storage — he noted that tapping into that unprotected data could also yield a link leading to the storage of additional files.
“One app, TextPlus, takes screenshots and stores them on your phone,” Baggili noted, adding that it’s unclear why. “If someone gets access to your phone, they can see what messages were sent.”
Each of the tested apps have a different set of security issues, such as Instagram’s unencrypted network transmission of images and its storing of images on a server without requiring authentication. Other vulnerabilities include unencrypted transmission of location, sketches, music and video, plain text storage of a password on a device, unencrypted storage of a chat log (which virtually all the tested apps do), and screenshots of app usage being stored on the device.
To illustrate the issues, the group will post five videos — one for each of the next five days, starting today.
How can a user protect him or herself?
“Don’t send stupid things,” Baggili told us.