A study from digital security company viaForensics paints a stark picture of the vulnerability of smartphone user data. viaForensics evaluated 100 popular consumer apps running on Android and iOS, and found that 76% store usernames, while 10% store passwords as plain text. Those 10% included popular sites such as LinkedIn, Skype, and Hushmail.
And while only 10% of applications store both username and passwords as plain text, leaving them vulnerable to hacks, even the 76% who store only usernames that way are vulnerable.
“Many systems require only username and password, so having the username means that 50% of the puzzle is solved,” said the report. It also noted that because many users tend to reuse user names, if someone unsavory gets that information, it can have reverberating effects. Your Facebook details could eventually lead to your credit card info, for instance.
Even more disturbing are the 10% of applications that fail to encrypt your password, which “poses a risk to consumers, because devices are frequently lost or transferred, and because malware could potentially grab the data,” said the report.
When it comes to the security of mobile consumer applications, the social networking applications tested in the study did the worst, with 74% earning a “fail,” indicating that sensitive data, such as passwords or account numbers, were recovered.
Other application categories fared better, but not overwhelmingly. Among productivity apps, 43% failed), while 25% of mobile financial apps and 14% of retail apps failed.
The retail safety looks pretty solid, but the report points out that no retail application actually “passed” the test. Rather the majority received a “warn” rating from viaForensics, indicating that the application’s data was present on the smartphone but not encrypted.
And many other popular applications also store non-sensitive data in unencrypted format, including mobile software from Amazon.com, Best Buy, Facebook and Twitter, said the report.
What can you do? Security experts recommend using letters and numbers in all passwords, avoiding passwords that have an actual meaning, never using the same passwords or usernames for different applications, and avoid writing your passwords down, especially online where they could be unearthed by an outsider.
All applications, for personal or business use, seem to be failing viaForensics’ assessment. And while viaForensics is a security firm and has an incentive to paint a picture of mass Web insecurities, the trend these numbers point to should be taken very seriously, by consumers and businesses alike.