HTTPS defects in dozens of top downloaded Android apps found to expose user passwords!
Researchers have reportedly unearthed dozens of Android apps in the official Google Play store that expose user passwords because either they fail to properly implement HTTPS encryption during logins or don't use it at all.
The roster of faulty apps have more than 200 million collective downloads from Google Play and have remained vulnerable even after developers were alerted to the defects claims arstechnica .
They were repotedly uncovered by AppBugs, a free Android app that spots dangerous apps installed on user's handsets.
The post further says that the CEO of appbugs told them that "Match.com app uses unencrypted hypertext transfer text protocol when sending user passwords, making it trivial for people in a position to monitor the traffic—such as someone on the same Wi-Fi network—to read the credentials. ".
The post also lists a video showing the vunerability of NBA Game Time app!
In all, Wang a appbug developer said to them that he discovered 100 apps that didn't HTTPS-protect login credentials, only 28 of which have since been fixed.
Here’s the list of problem apps found by AppBugs. For more details, see AppBug’s page on social plugin vulnerabilities in mobile apps, which includes videos demonstrating each vulnerability.
- Astro File Manager with Cloud
- Windows Live Hotmail Push Mail
- Brother iPrint & Scan
- Software Data Cable
- FriendCaster Chat
- PrintHand Mobile Print
- Phone for Google Voice & GTalk
- FoxIt MobilePDF
You can read the full article here.
Although it wouldn't be hard for Google to detect such shortcomings in apps it it lists in play store, there seems to be no indication that the company does that.