It’s always something when it comes to mobile devices, privacy and security.
Along with geo-tracking and the fear that your phones might be logging your every move, you can add this tech-worry to your list of concerns: Your smartphone apps are really bad at storing your sensitive data.
According to a mobile app security study by viaForensics, “there is a serious potential threat for identity or financial theft if a lost smartphone should fall into the wrong hands.” Their “appWatchdog” study focused on data stored on your devices – usernames, passwords, and other private app data. They looked at both iPhone apps and Android apps.
What they found was that many apps currently store sensitive, private user data without encryption. Of all the apps that they looked at, only 17% scored a “pass” rating. 44% scored a “warn” rating, meaning that private data was “recoverable.” 39% scored a “fail” rating, meaning that private data like account information and personal communication were stored in plain text.
As you can see, it was quite easy for viaforensics to recover usernames from the apps and 10% of passwords they encountered were stored in plain text. For most apps and services, if you know the username and password, you’re in.
The strongest apps from a security standpoint were the financial apps. Of the 32 that they tested, 14 received a passing rating. Of the 8 financial apps that “failed,” they say that they “were able to recover payment history, partial credit card numbers and other transaction-related data. Others cached security PIN or username/password.”
On the other end of the spectrum, social networking apps were the worst. They tested 19 apps from 9 different companies and none passed the username test – everyone’s username was stored in plain text. Both LinkenIn for Android and Foursquare for Android failed their password test – users’ passwords were stored in plain text.
Retail apps scored 0% pass, 86% warn and 14% fail while productivity apps like K-9 Mail and WordPress scored 9% pass, 49% warn and 43% fail on the whole.
Since a good amount of people use the same usernames and passwords for multiple services, it’s not hard to foresee the possible dangers here. Someone with bad intentions gets hold of one username or one password and they could have access to quite a bit of personal stuff.
Pair that with the fact that most smartphone passcodes are depressingly simple and you’ve got a security nightmare.
Of course, nobody wants to sound alarmist, but consumers “should recognize the risk,” says viaForensics.
