Think Twice Before Trusting These 14 Android Apps with Your Login Information

In life, there are a handful of people that each of us truly trust – and can confide in fully. And, it’s safe to say, you’ve probably taken into consideration the trustworthiness of each one of your confidants. Maybe you’ve evaluated them on their ability to keep secrets in the past or perhaps they each possess characteristics of generally trustworthy folks.

Now take a look at your mobile device. How many apps, social networking sites, and different vendors do you trust with your most personal details and login information?

Whether you like it or not, there’s no denying that mobile devices have become an extension of ourselves. With that in mind, shouldn’t each app that you download be carefully evaluated for security, before you choose to trust it with your secrets and personal information – just as you would a friend? Unfortunately, this is not the case for most mobile users.

As one recent analysis uncovered, there are 14 apps for Android devices that have less than optimal security in the means by which they handle login information – and for that reason alone, just shouldn’t be trusted. However, these apps still continue to be widely used by mobile owners and account for more than 80 million total downloads.

The common denominator with all 14 of these apps is that they offer a social sign in option, using your login information from Facebook, Google, Twitter, or Microsoft, to sign into your account.

Once the apps obtain this third-party information, they transmit it back to their database through plain text. This means that attackers can easily access your unencrypted login details and compromise the linked accounts.

As I’ve always said, encryption is absolutely key when dealing with sensitive information as it will convert data into a crypto code that cybercriminals won’t be able to decipher.

So remember: vet your mobile apps in the same vein as a friend with whom you’re considering sharing a secret. And if you’re confused as to which apps are trustworthy and which are not, it’s a good rule of thumb to just keep all sensitive information off of your mobile devices and apps.

Another great way to stay protected? Use comprehensive security software on your mobile device. McAfee® Mobile Security is free for Android and iOS, and the Android version provides you with details regarding how apps are accessing your personal information.

Also, consider implementing a password management tool. True Key™ by Intel Security, which provides an easier and safer way to unlock your digital world – allowing you to access your apps and websites without the hassle of having to remember, create or type in multiple passwords – with the True Key app, you are the password.

To keep up with the latest security threats, make sure to follow @IntelSec_Home on Twitter and like us on Facebook.


Stay Safe While Traveling this Summer

So, when you think about summer travel safety, what comes to mind? Which beach you’ll be lounging on? Sunburns? Shark attacks? While sunburns and vacation plans are rational concerns most have when traveling during the summer, shark attacks are a new one.

With all of the news of recent shark attacks, people are now anxious about wading into the waters, despite the fact that the chances of getting mauled by a shark are a whopping one in 3.7 million. No guarantees, of course, but your odds are looking pretty good.

Conversely, the odds of getting your identity stolen or your other valuable information compromised while on or planning for these fun summer trips with the family are much higher. So instead of worrying about sharks this summer, let’s worry about the real predators out there —online hackers and phishing scammers.

In order to ensure you and your family’s online safety while on vacation, you first have to find an ideal and preferably well-rated vacation spot to travel. The Web is replete with scam sites touting glorious vacation spots for bargain prices. Be wary because a lot of these locations are fictitious or are actual pictures of someone’s home “stolen” from, for instance, someone’s family blog or social media profile. The thief will then put up a fraudulent ad for renters and will request a wired upfront payment.

Book travel plans only via legitimate, reputable sites. McAfee® WebAdvisor is a tool you can use that will help to warn you of most unsafe web pages. Make sure to check reviews of any private lodgings and use legitimate, well-known travel review sites.

We all love to share what we’re doing on social media, especially kids, but avoid using location services when possible. According to the recent Intel Security study : Realities of Cyber Parenting , one in three children who are active on social media turn on location services for some or all of their social media accounts which can alert thieves that you are not home, making you vulnerable to break-ins.

Many users are unaware of these features, but the service is available, and probably enabled on almost all of your most used apps, such as Facebook, Twitter, Instagram, etc. In order to fully protect your online data, when your computer devices are not in use, the Wi-Fi, location services and Bluetooth all should be turned off. Educate your kids to disable these services and not to download apps that request this information to run.

Additional Safety Measures You Can Take:

  • Lock your luggage
  • Do not post your travel plans online
  • If you’re taking any computer devices along, back up all their data first
  • Power down, password-protect, and lock these devices prior to travel
  • The person next to you on the plane can visually eavesdrop while you type in login information—beware. Better yet, avoid computer use while on the plane, and watch movies instead
  • Never use public Wi-Fi, at least for important transactions including purchases. Not only can thieves snatch data out of the air, but cybercriminals can also install public computers with data-stealing gadgets. If you must use public Wi-Fi for sensitive communications, use a virtual private network (VPN), which will scramble your data

Even after taking all of these precautions before and during your trip, your job is not done! Once you return home from your trip, it is vital that you make sure all of your information and charges are accurate. Make sure to immediately check your online credit card statements for unauthorized charges—before you invest time posting all about your trip on social media. Credit card fraud or identity theft can occur in well under 24 hours, so don’t put off checking your card status when you come home.

RobertSiciliano1-150x150Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Going Too Far to Prove a Point

I just read Hackers Remotely Kill a Jeep on the Highway – With Me in It by Andy Greenberg. It includes the following:

“I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold…

To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the I-40 on-ramp, “no matter what happens, don’t panic.”

As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission.

Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun.

At that point, the interstate began to slope upward, so the Jeep lost more momentum and barely crept forward. Cars lined up behind my bumper before passing me, honking. I could see an 18-wheeler approaching in my rearview mirror. I hoped its driver saw me, too, and could tell I was paralyzed on the highway.

“You’re doomed!” Valasek shouted, but I couldn’t make out his heckling over the blast of the radio, now pumping Kanye West. The semi loomed in the mirror, bearing down on my immobilized Jeep.

I followed Miller’s advice: I didn’t panic. I did, however, drop any semblance of bravery, grab my iPhone with a clammy fist, and beg the hackers to make it stop…

After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment. (emphasis added)

I had two reactions to this article:

1. It is horrifying that hackers can remotely take control of a vehicle. The auto industry has a lot of work to do. It’s unfortunate that it takes private research and media attention to force a patch (which has now been published.) Hopefully a combination of Congressional attention, product safety laws, and customer pressure will improve the security of the auto industry before lives and property are affected.

2. It is also horrifying to conduct a hacking “experiment” on I-40, with vehicles driving at 60 or more MPH, carrying passengers. It’s not funny to put lives at risk, whether they are volunteers like the driver/author or other people on the highway.

Believing it is ok reflects the same juvenile thinking that motivated another “researcher,” Chris Roberts, to apparently “experiment” with live airplanes, as reported by Wired and other news outlets.

Hackers are not entitled to jeopardize the lives of innocent people in order to make a point. They can prove their discoveries without putting others, who have not consented to be guinea pigs, at risk.

It would be a tragedy if the first death by physical-digital convergence occurs because a “security researcher” is “experimenting” in order to demonstrate a proof of concept.

Testing the Security Fitness of Wearables and Who’s Out of Shape

As one of the most visible aspects of the Internet of Things (IoT), wearables are becoming commonplace on wrists throughout the country. They track, record and analyze activity (and behavior to an extent), giving consumers insight into their daily habits and offering helpful tips on living a healthier life. But how do they do this without also broadcasting user data with reckless abandon?

AV-TEST, a German security research lab, put nine fitness wristbands through the ringer with several tests designed to gauge the health index of their protective measures. Each wristband failed at least one of the tests, but some of the most popular wearable fitness trackers appeared to be significantly out of shape when it came to security.

So why is this important?

Not only do these trackers record and broadcast your daily fitness habits — everything from your walking route and time of day to your sleeping habits — but they can also broadcast sensitive information like your email address, date of birth and other account information useful to identity thieves. You are essentially wearing some of your most vital data on your wrist, and this could have serious implications to your identity if not protected properly.

The most troubling part of all of this is how easy it is to access that data. In AV-TEST results, two of the most popular wearable fitness trackers can be accessed from any Bluetooth-LE-enabled device without user authorization. In fact, seven out of the nine tested wristbands can be used on several smartphones simultaneously, according to AV-TEST. It would be trivial for a scrupulous hacker to set up a system where they can simply catch valuable data out of the air.

In some cases, cybercriminals may be able to manipulate data, too. Hackers would be able to reset alarms, delete accounts, trigger vibrations and alter a device’s time, too. Seemingly smaller inconveniences, but some that could have serious ramifications as several countries across the globe allow insurers to use fitness trackers to reward activity with discounts on insurance contributions, among other things. A lazy customer could easily manipulate data to make it appear they’re active. Likewise, a less-than-honest employer could also manipulate data to make it appear as if an insured employee doesn’t exercise.

Finally, the more opportunities hackers have to compromise devices, the more chances they have to access sensitive information or spread malicious software. When wearables lack basic security precautions, we’re all put at risk.

Wearables can be immensely useful, but they need to be secure. The same privacy and safety precautions used for mobile devices and computers should apply to wearables — especially when they’ll set the standard for IoT devices for years to come.

Security-conscious users should take precautions with all of their devices. For owners of wearable technology, be proactive and stay on top of updates issued by the manufacturer. As always, know what sort of information your devices and programs gather on you and adjust their settings accordingly.

Stay on top of the latest consumer and mobile security threats by following @IntelSec_Home on Twitter and like us on Facebook.