{"id":4118,"date":"2014-09-18T10:00:11","date_gmt":"2014-09-18T14:00:11","guid":{"rendered":"http:\/\/www.kaspersky.co.in\/blog\/?p=4118"},"modified":"2020-02-26T20:28:22","modified_gmt":"2020-02-26T14:58:22","slug":"privacy_holes_in_popular_android_apps","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/privacy_holes_in_popular_android_apps\/4118\/","title":{"rendered":"Dozens of Popular Android Apps Leak Sensitive User Data"},"content":{"rendered":"<p>A group of researchers from <a href=\"http:\/\/www.unhcfreg.com\/\" target=\"_blank\" rel=\"noopener nofollow\">the University of New Haven\u2019s Cyber Forensics Research and Education Group<\/a> have uncovered vulnerabilities in several popular Android apps, including Instagram, Vine, OKCupid and more. The bugs could expose the sensitive information of some 968 million users that have installed the affected applications on their <a href=\"https:\/\/www.kaspersky.com\/blog\/fakeid-scanner\/\" target=\"_blank\" rel=\"noopener nofollow\">Android mobile devices<\/a>.<\/p>\n<p>My colleague, Chris Brook, from Threatpost <a href=\"https:\/\/threatpost.com\/privacy-vulnerabilities-in-popular-android-apps-disclosed\/108163\" target=\"_blank\" rel=\"noopener nofollow\">reported<\/a> that most of the bugs, which were disclosed by the group of researchers in a series of Youtube videos, result from the storage of <a href=\"https:\/\/www.kaspersky.com\/blog\/whos-using-encryption-whos-not\/\" target=\"_blank\" rel=\"noopener nofollow\">unencrypted content<\/a> on the servers controlling the vulnerable applications.<\/p>\n<div class=\"pullquote\">\u201cAlthough all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue.\u201d<\/div>\n<p>\u201cAnyone who has used or continues to use the tested applications are at risk of confidential breaches involving a variety of data, including their passwords in some instances,\u201d says Abe Baggili, assistant professor of computer science at UNH\u2019s Tagliatela College of Engineering, and head of the cFREG.<\/p>\n<p>Per Threatpost, Instagram Direct\u2019s messaging functionality was leaking photos shared between users as well as past images that were stored in plain-text on Instagram\u2019s servers. The researchers were also able to sniff out certain keywords over HTTP, allowing them to view certain information shared between users of the popular online dating service, OKCupid. A video chat application called ooVoo contained essentially the same vulnerabilities as the Instagram Direct app. Instagram\u2019s lack of full encryption is an issue we\u2019ve covered here at Kaspersky Daily <a href=\"https:\/\/www.kaspersky.com\/blog\/instagram_mobile_lacks_encryption\/\" target=\"_blank\" rel=\"noopener nofollow\">in the past<\/a>.<\/p>\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/FXQovCf-PfA?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span>\n<p>Three other free calling and messengers apps, Tango, Nimbuzz and Kik, had bugs that let the researchers pilfer images, location points and videos. Nimbuzz was also caught storing user passwords in plain text.<\/p>\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/-SIuY9W6oBc?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span>\n<p>MeetMe, MessageMe and TextMe all send information in plain, unencrypted text, which could give an attacker the ability to monitor the communications of users running those applications on a local network. Sent and received images and shared location points can also be monitored in plain text on those apps. The researchers were also able to view a TextMe database file that stored their login credentials in plain text.<\/p>\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/-8diGT0Dx-8?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span>\n<p>Grindr, HeyWire, Hike and TextPlus suffered from essentially the same bugs. Attackers using readily available tools, like WireShark, could easily pilfer messages, images and shared locations. In addition, images sent via Grindr, HeyWire and TextPlus remained on the services\u2019 servers in plain text and available with authentication for weeks.<\/p>\n<p>\u201cUsing HeliumBackup, an Android backup extractor, we were able to gain access to the Android back up file for TextPlus,\u201d one researcher said. \u201cWhen we opened it up, we noticed that there were screen shots of user activities that we did not take. We do not know the purpose of these screenshots or why they are being stored on the device.\u201d<\/p>\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/uIqMgqdn31s?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span>\n<p>In their final video, the researchers looked into what apps stored sensitive data in their app storage. Problematically, TextPlus, Nimbuzz and TextMe all stored login credentials in plain text. In addition to that, those three apps along with MeetMe, SayHi, ooVoo, Kik, Hike, MyChat, WeChat, HeyWire, GroupMe, LINE, Whisper, Vine, Voxer and Words With Friends, all stored chat logs in plain text.<\/p>\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/Lgc9vwgQgBc?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span>\n<p>\u201cAlthough all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue,\u201d Baggili has said.<\/p>\n<p>The researchers tried to notify the developers behind the apps in question but were initially met with formulaic support contact forms and were given no direct way to contact the developers. In an email interview, Abe Baggili said he was unaware if the vendors had fixed any of the bugs that he and his team discovered.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Glaring #privacy holes caused by lack of #crypto in dozens of popular #Android apps<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fau3G&amp;text=Glaring+%23privacy+holes+caused+by+lack+of+%23crypto+in+dozens+of+popular+%23Android+apps\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>We reached out to Instagram for confirmation, but the company has not yet responded to our request for comment.<\/p>\n<p>It is not clear if the developers of these applications plan to fix the bugs described here.<\/p>\n<p>That said, <a href=\"http:\/\/www.cnet.com\/news\/researchers-find-data-leaks-in-instagram-grindr-oovoo-and-more\/\" target=\"_blank\" rel=\"noopener nofollow\">CNET<\/a> reached out to Instagram, Kik and Grindr. Instagram says it is in the process of moving to full encryption on their Android app, which would resolve the problems. Kik said it is working to encrypt sketches shared between users but that it will not encrypt chat logs because those logs are isolated and not accessible between apps on a given phone. They claim that this sort of data storage is the industry standard. Grindr merely said it monitors security reports like these and makes changes as it sees fit.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A number of popular Android applications are putting sensitive user data at risk of exposure because the app developers are not fully implementing encryption.<\/p>\n","protected":false},"author":42,"featured_media":4119,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[105,564,218,43,97],"class_list":{"0":"post-4118","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-android","9":"tag-crypto","10":"tag-mobile-security","11":"tag-privacy","12":"tag-security-2"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/privacy_holes_in_popular_android_apps\/4118\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/privacy_holes_in_popular_android_apps\/4022\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/privacy_holes_in_popular_android_apps\/4528\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/privacy_holes_in_popular_android_apps\/4774\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/privacy_holes_in_popular_android_apps\/5288\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/privacy_holes_in_popular_android_apps\/6047\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/privacy_holes_in_popular_android_apps\/4816\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/privacy_holes_in_popular_android_apps\/5288\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/privacy_holes_in_popular_android_apps\/6047\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/privacy_holes_in_popular_android_apps\/6047\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/4118","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=4118"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/4118\/revisions"}],"predecessor-version":[{"id":19186,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/4118\/revisions\/19186"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/4119"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=4118"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=4118"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=4118"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}