An uncomfortably large percentage of mobile applications are storing sensitive user account information unencrypted on owners' smartphones, according to a new survey of 100 consumer smartphone apps.
Some 76% of the apps tested stored cleartext usernames on the devices, and 10% of the tested applications, including popular apps LinkedIn and Netflix, were found storing passwords on the phone in cleartext.
Conducted by digital security firm ViaForensics, the testing occurred over a period of over eight months and spanned multiple categories, ranging from social networking applications to mobile banking software. The firm tested apps only for iOS and Android, the market's leading mobile platforms.
User names ranked highest on the list of discoverable data. App data -- the term ViaForensics uses for private information exchanged using the applications -- came in second place, with such data recovered from 69% of tested apps.
Mint.com's iPhone and Android apps, which are used for maintaining financial account information, were found to store user transaction history and balance information on the phone.
The Android version of the Mint app stores the user's PIN on the phone unencrypted, ViaForensics found.
"We're already working on ways to make this experience better," said Jason Yiin, lead mobile engineer at Mint.com, in an interview. "At the moment, if users are highly concerned, they can log in and out of the application each time they access it on their phones."
Yiin also points out that if an intruder accesses your PIN, they won't be able to manipulate any account information or move assets between accounts. The intruder will, however, be able to see account balance and transaction history information.
In June, based on ViaForensics' early findings, Netflix promised a security update at a yet to be specified date. But LinkedIn says it is satisfied with the security of its app.
Apple's iOS-based apps scored consistently higher marks than Android apps in ViaForensics' tests. That doesn't surprise security analysts, who say Apple's Keychain security architecture for storing user credentials is stronger than Android's Account Manager.
"Right now, Apple does a better job on iOS in providing an API where app developers can use a pretty decent mechanism to protect stored information," says David Campbell, mobile security consultant at Electric Alchemy. "Currently, that doesn't exist on Android."
Google makes no bones about its platform's security.
"We dispute the claim that this data is insecurely stored on Android devices," a Google spokesman told Wired.com. "The data is not accessible by default unless the phone has been rooted to gain full privileges, which Android actively protects against and would result in similar exposure for any platform."
Earlier this year, German security researchers Jens Heider and Matthias Boll published a paper detailing how to partially circumvent keychain protections in a six-minute procedure on an IOS device.
In any case, developers too often choose not to use the operating system's security resources to begin with.
"What we have is a strong developer community who are good at coding on the whole, but not necessarily experts in security," independent security analyst Ashkan Soltani told Wired.com. "A developer writes an app, and he's just trying to get it off the ground as fast as he can."
With two lucrative emerging mobile platforms, early traction is crucial for app developers competing for space. Apple's App Store menu is closing in on a half-million applications available for download; add the Android Market to that, and you've got another 250,000 titles. App developer teams aren't always focused on security first, especially when some of them consist of a handful of engineers.
"The main thing lacking in mobile development is approaching the platform with the understanding that these are essentially small computers," Eull said. "Computers that are easily lost, and can travel through countless hands afterwards."
Even if you haven't lost your phone, downloading apps can be a crap shoot. The Android Market allows anyone to submit apps for download, with no vetting process to separate the wheat from the virus-infested chaff. That makes for lots of opportunities for malware to sneak in, a common enough occurrence for Google's patrons over the past year.
Three out of ten Android users will encounter a web-based threat on their device this year, according to recent findings from Lookout Mobile Security.
Of course, there are the issues that come with owning a smartphone at all, apps or no apps. In April, two researchers discovered an unencrypted file stored inside Apple's iOS software which stored a list of iPhone 4 owners' locations for a period of over ten months. Dubbed "Locationgate," the discovery turned into a full-blown privacy fiasco for the company.
The file -- "consolidated.db" -- compiled geolocation data from when users' smartphones came into contact with a new Wi-Fi network, or when a user accessed an app on the device that utilized GPS services. It was later revealed that Google's Android platform collected similar geographic data, though in a much more limited capacity than Apple.
Fortunately, some app makers are listening.
After ViaForensics contacted a number of the offending app's parent companies, several issued updates remedying the security concerns. Financial institutions like Bank of America, USAA and Wells Fargo -- all of which arguably have access to a user's most sensitive data -- issued quick fixes to their applications, now scoring a "pass" rating on ViaForensics' tests.
Ultimately, it's safer to take preventative measures than rely on app developers to change their ways.
Apple's MobileMe program includes a remote-wipe option, which lets you erase everything on your phone if it's lost or stolen (Mint.com's app also includes a remote-wipe option). And at the simplest of levels, installing a six-digit PIN on your device is a no-brainer.
"It's a hassle to punch in a PIN every time you want to use your phone," says Eull, "but its even more of a hassle for someone who wants to crack your device."
Though as Ivan Sze noted in an Android forum post, a lock screen PIN isn't the end-all be-all for a dedicated data thief: "Lock screen password entries aren't designed to be formidable security barriers -- it's just to make it inconvenient for regular people."
"It is entirely possible to develop secure mobile apps," said Andrew Hoog, chief investigative officer at ViaForensics. "But it takes the time, energy and resources to do it."
