The Shame Game: Mobile App Security Under Fire

Shame on you!

We’ve all seen a good public shaming in the form of celeb gossip or a scorned ex online, but shaming apps with lax security? That’s something new….

Software engineer, Tony Webster, got fed up with a number of mobile app developers not taking security seriously enough—just look at Snapchat being under fire for being compromised several times in one year — so he decided to take matters into his own hands. Webster created a website, HTTP Shaming, in which he publicly calls out mobile apps and businesses that send user’s personal information to the Internet without encrypting it first. He posts each of these cases in hopes of convincing companies to provide better security measures for handling customer data.

The problem with these mobile apps is that they use unencrypted data and links or companies are simply not using HTTPS, the secure version of the Web protocol. In both of these instances, a user’s data is at risk, whether an attacker is tracking a user’s location, harboring their personal information, or using said information to commit various forms of fraud.

In one particular case highlighting travel-information company, TripIt, it was found that hackers could change or cancel a victim’s flight This app had a built-in calendar sync feature and would automatically send unencrypted details about a user’s past and upcoming trips on the calendar app on that user’s phone. Meaning, if the user joined an unsecured Wi-Fi network, eavesdroppers on that same network could pluck information such as the user’s name, phone number, email address, and last four digits of their credit card straight from the air.

HTTP Shaming had some success with this case, as the company in question has converted its calendar feeds to HTTPS since being publicly shamed. However, that is just one success story in the long list of mobile apps that have security flaws placing user’s privacy at risk.

With the above in mind, it’s important to follow these tips to protect yourself and your personal information when using a mobile app:

  • Avoid using public Wi-Fi to send private information. Public Wi-Fi can be both a blessing and a curse. Since these networks are used by a large number of people, they can often be a prime target for hackers. Try to limit the amount of personal information you send over any website, especially when you are using a public network.
  • Install comprehensive security software on your phone. Having security software installed on your device is an essential part of protecting your privacy. McAfee® Mobile Security is free for both Android and iOS, and will alert you if you are about to connect to an unsecured Wi-Fi network from your Android device.
  • Stay current on the updates for your mobile apps. App updates usually come when companies either want to add new features, or fix critical security issues. A good rule of thumb here is if you stay on top of your app updates, you’re likely to stay ahead of most security flaws.
  • Only download apps from official app stores. Third party app stores are often the cardinal destination for malicious apps. By avoiding these unapproved app stores, you are helping to ensure you stay one step ahead of hackers.  

And as always, to keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.


The post The Shame Game: Mobile App Security Under Fire appeared first on McAfee Blogs.