The eight Android and iOS apps fail to properly protect user data by transmitting sensitive information such as device details, location, and authentication information over HTTP protocol instead of HTTPS.
This leaves the data open to potential attacks such as data theft, eavesdropping, man-in-the-middle attacks, etc. Encryption is a basic security measure to protect user data, but many app developers seem to implement it incorrectly.
8 Android and iOS Apps
- Clara Weather (Android)
- Military Dating App – MD Date (iOS)
- Sina Finance (Android)
- CP Plus Intelli Serve (Android)
- Latvian Past (Android)
- HaloVPN: Fast and Secure VPN Proxy (iOS)
- i-Boating: Nautical Charts & GPS (iOS)
- Texas Storm Chasers (iOS)
The Klara Weather and Military Dating apps pose significant security risks due to unencrypted data transmissions. Klara Weather leaks user location data over HTTP, exposing sensitive privacy information.
On the other hand, the Military Dating app transmits usernames and passwords unencrypted, making them vulnerable to interception and compromise, which could lead to unauthorized access to personal data, identity theft, and other malicious activity.
The Android apps Sina Finance and CP Plus Intelli Serve pose a significant security risk by leaking sensitive device information, including device ID, SDK version, and IMEI, over unencrypted HTTP connections, putting users at risk of being tracked and profiled.
CP Plus Intelli Serve transmits usernames and passwords in plain text, exposing them to interception and theft. Neither app implements basic security measures, such as HTTPS encryption, to protect user data, exposing users to privacy and security breaches.
The popular mobile apps Latvijas Pasts and HaloVPN, which have been downloaded over 100,000 and 13,300 times respectively, pose a significant security risk as they transmit sensitive user data unencrypted.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Network traffic analysis and code inspection revealed that Latvijas Pasts leaks user location information over HTTP, and HaloVPN exposes device information such as device ID, language, model, name, time zone, and SIM details.
The mobile applications “i-Boating: Marine Charts & GPS” and “Texas Storm Chasers” have been found to be transmitting sensitive user data over unencrypted HTTP connections.
Specifically, i-Boating transmits device information such as type and OS version, and Texas Storm Chasers transmits user location information, which may allow malicious actors to easily access users' personal information and expose users to potential security risks such as eavesdropping and data interception.
The ongoing occurrence of unencrypted data transmission in mobile apps poses significant security risks to users. Developers are urged to prioritize app security by using HTTPS for all network traffic, encrypting sensitive data, conducting regular security audits, and paying close attention to protecting user data.
Symantec encourages users to protect their mobile devices from threats by installing trusted security apps, avoiding downloading apps from untrusted sources, keeping software up to date, carefully reviewing app permissions, and regularly backing up important data, which will significantly reduce the risk of a mobile device being compromised.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial