App makers may be exposing your sensitive data to hackers

Researchers have found that certain apps are storing sensitive data in plain text on your phone’s memory

Some popular apps store sensitive data such as user names and passwords and credit card information in plain text on your phone's memory, making the data an easy target for hackers. A Chicago-based mobile forensics company called viaForensics recently found as much after completing an audit of dozens of the most popular apps on both iOS and Android platforms.

Some of the biggest-name apps -- such as Android Mail for Exchange and Hotmail, Foursquare, and Groupon -- stored the user's passcode and portions of the information that the user accessed through the app, in clear text on the phone's memory for versions of the apps released around the beginning of 2011.

If a criminal had physical access to your phone, it wouldn't be very hard to find all that data and use it to commit identity theft; even remote access to your phone to harvest cached data is now becoming possible -- the increase in mobile malware on Android phones and jailbroken iOS phones means that insecurities are more exploitable than ever.

You put a lot of information on your smartphone, mostly through apps that promise a standard of security and require usernames and passwords to access your personal data, at least on the initial setup of the application. But many of those apps unnecessarily store that information on the phone when they don't have to, and they don't encrypt all of their information when they do have to store the information offline.

Earlier this year, everyone was shocked that iPhones were storing their location data in an unencrypted file on the phone's internal memory. But a history of location data seems like small fry compared with storing a password (considering that most people reuse their passwords for multiple accounts) or credit card numbers, or messages you've sent to your boss on the phone's memory. Because phones are easily stolen, and Android phones especially have seen an increase in malicious apps (currently 2.5 times more common than they were six months ago, according to Lookout Mobile Security), storage of your private details shouldn't be taken lightly.

You can check out the list of apps that viaForensics tested here, along with a summary of how much information each app revealed. ViaForensics contacted all of the app builders before publishing the results, so many of the apps tested are earlier versions that have since had the security holes fixed. But these are just a sampling of the hundreds of thousands of apps out there that keep more information stored on the phone than is absolutely necessary.

What Kinds of Apps are Insecure?

According to viaForensics's tests, all kinds of apps can have major security holes when storing app data and login information -- apps ranging from financial planning to productivity to social networking. But it's important to note that the apps themselves are not malicious (although apps built for the sole purpose of stealing people's information exist, especially on the Android platform); nevertheless, these insecure apps might open you up to malicious attacks.

"Someone with moderate technical skill could download the Android SDK [software development kit], and if they got the phone they could read that data. [They're] not doing anything that requires money," says Ted Eull, vice president of technology services at viaForensics. And these holes are purely the result of hasty app building, Eull says. Exposing passwords or app data in the SDK isn't at all necessary for an app to work correctly. "Why store the sensitive data in the clear in the first place? If the data's not there for harvesting, attackers won't go after it," Eull says.

For some, having this information accessible is harmless -- someone knowing your Foursquare username and password can't do much with that name and password unless they happen to be the same as the username and password for your bank account or work email.

But certain apps, like a third-party download called "Starbucks Cards Manager" created by independent developer "evthedev" (who was not available for comment), stored the user's entire Starbucks credit card number, expiration date, and CVN (card verification number), in readable memory on the phone.

Even more-popular finance apps like Square, the mobile credit-card reading app, kept some transaction information cached on the iPhone (the Android-based version securely stored most information accessed on Square, and passed with a warning). Although both versions of the app hid the user's password properly, on iOS the merchant's phone contained the last four digits of the buyer's credit card number, but "the ultimate fail was when you sign on the pad, the last signature [made in the app] was available on the memory of the phone," Eull says.

Luckily, those are exceptions, not the rule. Most finance apps (like Bank of America or PayPal) scored well on security, and those apps that scored really poorly were social networking apps, like LinkedIn or AIM, where most users share less crucial information and are starting to expect a certain level of openness.

Malware Can Exploit Security Holes

Although the threat is still largely theoretical, malware might be the next big affront to your privacy on mobile devices. Eull noted that because user app data and login information is often stored on your phone's readable memory, it's possible for a hacker to create a piece of malware that extracts all the information you thought was secret while you're using your phone.

Android users have faced a marked increase in instances of malware on their phones, usually acquired by downloading apps containing malicious code, and there's no reason that this kind of malicious code couldn't search for the unencrypted user names, passwords, and other app data that more popular apps are storing.

Alicia diVittorio, Communications Director at Lookout Mobile Security, warns against downloading questionable apps that could put the information on your other "safe" apps in jeopardy. "People are downloading these apps that could give access to information on phones," diVittorio said, "and when you're using unencrypted Wi-Fi, anyone who's also on that Wi-Fi could see the data transferred. Data from the app should be encrypted, and the Wi-Fi should be encrypted," to really stop any predatory activity on your mobile device. Using 3G exclusively will eat up your data usage, but if you can't find trustworthy Wi-Fi in your location, it might be a good idea to turn your phone's Wi-Fi connection off. Also, downloading a security app like Lookout that can scan for malware on your phone can help you protect your phone from infiltration.

While a lot of this might be worst-case-scenario speculation, it also opens up a serious discussion that needs to take place in the tech world about who is ultimately responsible for your privacy and security. Should Apple or Google police how information is stored on their operating systems? Should app developers adhere to a unified standard of security more rigorous than they do currently? Or is it up to the consumer to look out for his or her own safety, even if the vast majority of smartphone users won't ever take the time to learn about how their device works or how to protect themselves from a security breach? Lookout's diVittorio echoes the thrust of viaForensics's study, commenting that "App developers need to realize that private information requires caution, and if you're an app developer, a lot of the burden is on you to create an app that's safe."

Although clearly not every app developer is tuned in to the mandate to protect users' security, Andrew Hoog, the CIO of viaForensics is hopeful: "In November of last year apps were storing banking information insecurely," he says, and now, "we're seeing a positive trend" in the way developers build their apps to guard against breaches. But app developers need to become better at building security a lot faster than their malware-developing counterparts, or face an ugly wake-up call of user dissatisfaction.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags smartphonesconsumer electronicsPCW

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Megan Geuss

PC World (US online)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?