Survey Finds Smartphone Apps Store Too Much Personal Data

The work that EA did for the Wall Street Journal made it clear that most apps are far too permissive with the sensitive data that they share 'on the wire'.  Subsequently a report by ViaForensics concludes that many apps are also carelesss with the sensitive data they store locally on the mobile device.

EA Principal Consultant David Campbell was interviewed by Wired for this article about the study.

Abstract follows:


An uncomfortably large percentage of mobile applications are storing sensitive user account information unencrypted on owners’ smartphones, according to a new survey of 100 consumer smartphone apps.

Some 76 percent of the apps tested stored cleartext usernames on the devices, and 10 percent of the tested applications, including popular apps LinkedIn and Netflix, were found storing passwords on the phone in cleartext.

Conducted by digital security firm ViaForensics, the testing occurred over a period of over eight months and spanned multiple categories, ranging from social networking applications to mobile banking software. The firm tested apps only for iOS and Android, the market’s leading mobile platforms.

“If I get my hands on someone’s lost phone, it could take me ten minutes to find an account username and password,” said Ted Eull, techology services vice president at ViaForensics, in an interview.
ViaForensics sells mobile security tools and services to corporations, attorneys and government agencies.
User names ranked highest on the list of discoverable data. App data — the term ViaForensics uses for private information exchanged using the applications — came in second place, with such data recovered from 69 percent of tested apps.

Mint.com’s iPhone and Android apps — which are used for maintaining financial account information — were found to store user transaction history and balance information on the phone. The Android version of the Mint app stores the user’s PIN on the phone unencrypted, ViaForensics found.

“We’re already working on ways to make this experience better,” said Jason Yiin, lead mobile engineer at Mint.com, in an interview. “At the moment, if users are highly concerned, they can log in and out of the application each time they access it on their phones.” Yiin also points out that if an intruder accesses your PIN, they won’t be able to manipulate any account information or move assets between accounts. The intruder will, however, be able to see account balance and transaction history information.

In June, based on ViaForensics’ early findings, Netflix promised a security update at a yet to be specified date. But LinkedIn says it is satisfied with the security of its app.  “We’re using the standard Android programming practices for storing and managing data,” LinkedIn spokeswoman Krista Canfield told Wired.com.

Apple’s iOS-based apps scored consistently higher marks than Android apps in ViaForensics’ tests. That doesn’t surprise security analysts, who say Apple’s Keychain security architecture for storing user credentials is stronger than Android’s Account Manager. “Right now, Apple does a better job on iOS in providing an API where app developers can use a pretty decent mechanism to protect stored information,” says David Campbell, mobile security consultant at Electric Alchemy. “Currently, that doesn’t exist on Android.”

Google makes no bones about its platform’s security. “We dispute the claim that this data is insecurely stored on Android devices,” a Google spokesman told Wired.com. “The data is not accessible by default unless the phone has been rooted to gain full privileges, which Android actively protects against and would result in similar exposure for any platform.”

Earlier this year, German security researchers Jens Heider and Matthias Boll published a paper detailing how to partially circumvent keychain protections (.pdf) in a six-minute procedure on an IOS device.
In any case, developers too often choose not to use the operating system’s security resources to begin with. “What we have is a strong developer community who are good at coding on the whole, but not necessarily experts in security,” independent security analyst Ashkan Soltani told Wired.com. “A developer writes an app, and he’s just trying to get it off the ground as fast as he can.”

With two lucrative emerging mobile platforms, early traction is crucial for app developers competing for space. Apple’s App Store menu is closing in on a half-million applications available for download; add the Android Market to that, and you’ve got another 250,000 titles. App developer teams aren’t always focused on security first, especially when some of them consist of a handful of engineers.

“The main thing lacking in mobile development is approaching the platform with the understanding that these are essentially small computers,” Eull said. “Computers that are easily lost, and can travel through countless hands afterwards.”