Dozens of Popular Android Apps Leak Sensitive User Data

A number of popular Android applications are putting sensitive user data at risk of exposure because the app developers are not fully implementing encryption.

A group of researchers from the University of New Haven’s Cyber Forensics Research and Education Group have uncovered vulnerabilities in several popular Android apps, including Instagram, Vine, OKCupid and more. The bugs could expose the sensitive information of some 968 million users that have installed the affected applications on their Android mobile devices.

My colleague, Chris Brook, from Threatpost reported that most of the bugs, which were disclosed by the group of researchers in a series of Youtube videos, result from the storage of unencrypted content on the servers controlling the vulnerable applications.

“Although all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue.”

“Anyone who has used or continues to use the tested applications are at risk of confidential breaches involving a variety of data, including their passwords in some instances,” says Abe Baggili, assistant professor of computer science at UNH’s Tagliatela College of Engineering, and head of the cFREG.

Per Threatpost, Instagram Direct’s messaging functionality was leaking photos shared between users as well as past images that were stored in plain-text on Instagram’s servers. The researchers were also able to sniff out certain keywords over HTTP, allowing them to view certain information shared between users of the popular online dating service, OKCupid. A video chat application called ooVoo contained essentially the same vulnerabilities as the Instagram Direct app. Instagram’s lack of full encryption is an issue we’ve covered here at Kaspersky Daily in the past.

Three other free calling and messengers apps, Tango, Nimbuzz and Kik, had bugs that let the researchers pilfer images, location points and videos. Nimbuzz was also caught storing user passwords in plain text.

MeetMe, MessageMe and TextMe all send information in plain, unencrypted text, which could give an attacker the ability to monitor the communications of users running those applications on a local network. Sent and received images and shared location points can also be monitored in plain text on those apps. The researchers were also able to view a TextMe database file that stored their login credentials in plain text.

Grindr, HeyWire, Hike and TextPlus suffered from essentially the same bugs. Attackers using readily available tools, like WireShark, could easily pilfer messages, images and shared locations. In addition, images sent via Grindr, HeyWire and TextPlus remained on the services’ servers in plain text and available with authentication for weeks.

“Using HeliumBackup, an Android backup extractor, we were able to gain access to the Android back up file for TextPlus,” one researcher said. “When we opened it up, we noticed that there were screen shots of user activities that we did not take. We do not know the purpose of these screenshots or why they are being stored on the device.”

In their final video, the researchers looked into what apps stored sensitive data in their app storage. Problematically, TextPlus, Nimbuzz and TextMe all stored login credentials in plain text. In addition to that, those three apps along with MeetMe, SayHi, ooVoo, Kik, Hike, MyChat, WeChat, HeyWire, GroupMe, LINE, Whisper, Vine, Voxer and Words With Friends, all stored chat logs in plain text.

“Although all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue,” Baggili has said.

The researchers tried to notify the developers behind the apps in question but were initially met with formulaic support contact forms and were given no direct way to contact the developers. In an email interview, Abe Baggili said he was unaware if the vendors had fixed any of the bugs that he and his team discovered.

We reached out to Instagram for confirmation, but the company has not yet responded to our request for comment.

It is not clear if the developers of these applications plan to fix the bugs described here.

That said, CNET reached out to Instagram, Kik and Grindr. Instagram says it is in the process of moving to full encryption on their Android app, which would resolve the problems. Kik said it is working to encrypt sketches shared between users but that it will not encrypt chat logs because those logs are isolated and not accessible between apps on a given phone. They claim that this sort of data storage is the industry standard. Grindr merely said it monitors security reports like these and makes changes as it sees fit.

Tips