MOSCOW, September 9 (RIA Novosti) – A number of popular Android applications fail to ensure basic security of their users, the recent study by the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) revealed.
Instagram, Grindr, OkCupid, OoVoo, MessageMe, Tango, Grindr, HeyWire and other Android applications put users’ privacy at risk, the UNHcFREG finding concluded Monday.
“What we really find is that app developers are pretty sloppy,” Ibrahim Baggili, UNHcFREG’s director and editor-in-chief of the Journal of Digital Forensics, Security and Law, told PCWorld in a phone interview Monday.
“Anyone who gets access to your phone can dump the backup and see all the chat messages that were sent back and forth,” he warned.
The research was aimed at detecting apps’ weaknesses that could put data at risk of interception. Using such traffic analysis tools as Wireshark and NetworkMiner, experts found out that Facebook’s Instagram application, OoVoo, MessageMe, Tango, Grindr, HeyWire and TextPlus contain users’ images on their servers that are unencrypted and accessible without authentication.
Moreover, it was figured out that many of the applications in question either do not use SSL/TLS (Secure Sockets Layer/Transport Security Layer) or use it insecurely. As a result, hackers gain an opportunity to intercept users’ traffic over open public Wi-Fi. In particular, OkCupid’s application, used by almost 3 million people, does not encrypt chats over SSL.
Baggili told PCWorld that his team had already contacted the developers of the applications but received no responses yet.
The research follows the UNHcFREG’s findings earlier this year that detected vulnerabilities in the messaging applications WhatsApp and Viber. From now on the group is going to release one video a day this week on its YouTube channel revealing the findings, which may affect around 1 billion users.
