This article is more than 1 year old

App makers, you're STILL doing security wrong

Microsoftie Troy Hunt unpicks privacy invasion and unencrypted passwords

Security expert Troy Hunt has taken a look at what mobile apps collect to send home to their owners, and isn't impressed: even PayPal is still addicted to invasive habits, he says.

Looking at PayPal and two Australian apps – a small sample, admittedly, but we'll get to this shortly – the prominent Microsoft security researcher concludes that app-makers are doing it so badly that “perhaps I should just stick to the browser that doesn’t leak this class of data yet one would assume is still sufficiently secure”.

Starting with the most famous, PayPal, Hunt says while it at least uses secure channels, “they’re obtaining data from me that I had absolutely no idea about”.

The accumulation of stuff that went with the generic permissions you have to approve just to get a mobile app to work included:

  • BSSID – the device ID of Hunt's home router, a pointless piece of data-hoovering;
  • Device – both model and the individual name given to the device, like “Troy Hunt's iPhone”, are sent upstream;
  • Internal IP address – which Hunt points out can yield at least some information about the network, like indicating how many devices are on it;
  • Location – latitude and longitude, which Vulture South notes can be subverted by disabling location services, but most people aren't paying that close attention;
  • SSID, and storage space – as Hunt says of the latter, “do they [PayPal] really need to know that?”

Hunt notes that even without location services, there are searchable databases of BSSIDs and SSIDs, so even with a VPN, “PayPal still has the potential to join the dots and nail you all the way down to a very precise global location”.

The other two apps he checked are specific to Australia, but there's no reason to think that the invasive habits are confined to those shores. Aussie Farmers Direct (home delivery of farmgate produce) and Nando's (fast food delivery) both come under fire.

In the case of groceries shopping app Aussie Farmers Direct, his sniffing of his own traffic – no hacking involved, merely running the iPhone traffic through Fiddler – showed that the data sent to ad partner Gomeeki included first name, last name, home address, latitude and longitude.

Not only does Hunt argue that sending this data to a third party is “way too invasive”, but “the data is sent in the clear” over an ordinary HTTP connection.

It's quite likely that Aussie Farmers Direct doesn't know this is happening: it just plonked the ad network's hooks into its app. Hunt also noted that Gomeeki doesn't support encryption anyhow: “the site is simply not meant to be loaded over HTTPS”.

The app for Portuguese chicken outlet Nandos' starts off well, using HTTPS to transfer its menu, but then inexplicably drops back to HTTP for the customer login – and, he notes, Nando's in the UK was publicly outed for the same issue two years ago.

“Whilst this is but a very small selection here, the problems were found very quickly and are extremely worrying”, he concludes. ®

More about

TIP US OFF

Send us news


Other stories you might like