The work that EA did for the Wall Street Journal made it clear that most apps are far too permissive with the sensitive data that they share 'on the wire'. Subsequently a report by ViaForensics concludes that many apps are also carelesss with the sensitive data they store locally on the mobile device.
interviewed by Wired for this article about the study.
An uncomfortably large percentage of mobile applications are storing
sensitive user account information unencrypted on owners’ smartphones,
according to a new survey of 100 consumer smartphone apps.
Some 76 percent of the apps tested stored cleartext usernames on the
devices, and 10 percent of the tested applications, including popular
apps LinkedIn and Netflix, were found storing passwords on the phone in
Conducted by digital security firm ViaForensics,
the testing occurred over a period of over eight months and spanned
multiple categories, ranging from social networking applications to
mobile banking software. The firm tested apps only for iOS and Android,
the market’s leading mobile platforms.
“If I get my hands on someone’s lost phone, it could take me ten
minutes to find an account username and password,” said Ted Eull,
techology services vice president at ViaForensics, in an interview.
ViaForensics sells mobile security tools and services to corporations, attorneys and government agencies.
User names ranked highest on the list of discoverable data. App data —
the term ViaForensics uses for private information exchanged using the
applications — came in second place, with such data recovered from 69
percent of tested apps.
Mint.com’s iPhone and Android apps — which are used for maintaining
financial account information — were found to store user transaction
history and balance information on the phone. The Android version of the
Mint app stores the user’s PIN on the phone unencrypted, ViaForensics
“We’re already working on ways to make this experience better,” said
Jason Yiin, lead mobile engineer at Mint.com, in an interview. “At the
moment, if users are highly concerned, they can log in and out of the
application each time they access it on their phones.” Yiin also points
out that if an intruder accesses your PIN, they won’t be able to
manipulate any account information or move assets between accounts. The
intruder will, however, be able to see account balance and transaction
In June, based on ViaForensics’ early findings, Netflix promised a security update
at a yet to be specified date. But LinkedIn says it is satisfied with
the security of its app. “We’re using the standard Android programming
practices for storing and managing data,” LinkedIn spokeswoman Krista
Canfield told Wired.com.
Apple’s iOS-based apps scored consistently higher marks than Android
apps in ViaForensics’ tests. That doesn’t surprise security analysts,
who say Apple’s Keychain security architecture for storing user
credentials is stronger than Android’s Account Manager. “Right now,
Apple does a better job on iOS in providing an API where app developers
can use a pretty decent mechanism to protect stored information,” says
David Campbell, mobile security consultant at Electric Alchemy.
“Currently, that doesn’t exist on Android.”
Google makes no bones about its platform’s security. “We dispute the
claim that this data is insecurely stored on Android devices,” a Google
spokesman told Wired.com. “The data is not accessible by default unless
the phone has been rooted to gain full privileges, which Android
actively protects against and would result in similar exposure for any
Earlier this year, German security researchers Jens Heider and Matthias Boll published a paper detailing how to partially circumvent keychain protections (.pdf) in a six-minute procedure on an IOS device.
In any case, developers too often choose not to use the operating
system’s security resources to begin with. “What we have is a strong
developer community who are good at coding on the whole, but not
necessarily experts in security,” independent security analyst Ashkan
Soltani told Wired.com. “A developer writes an app, and he’s just
trying to get it off the ground as fast as he can.”
With two lucrative emerging mobile platforms, early traction is
crucial for app developers competing for space. Apple’s App Store menu
is closing in on a half-million applications
available for download; add the Android Market to that, and you’ve got
another 250,000 titles. App developer teams aren’t always focused on
security first, especially when some of them consist of a handful of
“The main thing lacking in mobile development is approaching the
platform with the understanding that these are essentially small
computers,” Eull said. “Computers that are easily lost, and can travel
through countless hands afterwards.”