Friday 20 March 2015

Do Instagram, Grindr, and more popular Android apps Jeopardize Privacy?




Android apps
Cyber users nowadays have become more regular as posting comments, texts, pictures, and other shared files over social networks is a common practice now. But have you ever thought about the safety and privacy of the content you’ve uploaded? Do you actually know that whether social network servers delete your stuff after sharing it with your desired cyber user? If no, then you might get shocked to know that you’ve already kept your online data privacy at stake. According to a new study, it is revealed that the Instagram, Grindr, OkCupid and many other popular Android apps failed to protect their users’ data.

The research presented by University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) claims that several Android apps put user’s data privacy at stake. This research group became popular for finding vulnerabilities in WhatsApp and Viber earlier in this year.

The group has expanded their research and has targeted a broader range of Android applications this time. Researchers found that various Android applications could put data at risk, hence, compromise user’s safety and privacy, at large. The group also stated that they will soon release a video on their YouTube channel highlighting their findings, which can affect around 1 billion users.

Ibrahim Baggili, UNHcFREG’s director and editor-in-chief of the Journal of Digital Forensics, Security and Law, stated that “What we really find is that app developers are pretty sloppy.” Baggili was quite disappointed with the results of the research and stated that users don’t have any clue about how majorly they can get affected.
Digital Forensics

The researchers took advantage of the traffic tracking tools like Wireshark and NetworkMiner, to access the data that was exchanged, when several actions were performed. A close study on the entire process revealed how and where applications were storing and transmitting data and how dangerous it could be, if it reaches into wrong hands.

To showcase the amount of loss a user will be facing, Facebook’s Instagram application was tested by the researchers. It was found that the application still had images sitting on its servers that were unencrypted and can be accessed without authentication. They tested several other apps like such as OoVoo, MessageMe, Tango, Grindr, HeyWire and TextPlus and found the same problem in these applications as well.
On checking the codes, it was found that these services were storing the content with plain ‘http’ links that were later forwarded to the recipients. But the problem that persists is that if anybody gets access to this link, then the image that was sent over the network can be easily traced. In a solution to this problem, Ibrahim Baggili suggested that either the services should ensure speedy deletion of images from their servers or they should restrict its access to authenticated users.

The research revealed that many chat apps including OoVoo, Kik, Nimbuzz and MeetMe, don’t encrypt chat logs on the device, hence, carries a greater risk if someone loses their device. Baggili commented on the issue that “Anyone who gets access to your phone can dump the backup and see all the chat messages that were sent back and forth.”

Another significant finding during the research was that a number of applications either don’t use SSL/TLS (Secure Sockets Layer/Transport Security Layer) or use it insecurely. Each app is provided with a mandate guideline to use digital certificates to encrypt data traffic, but many of them void it and put user’s data at stake.
data privacy

By intercepting unencrypted traffic, a potential hacker can easily bring man-in-the-middle attack into action. If the victim is using a Wi-Fi connection in a public place, then it will be of huge risk. Proper usage and maintenance of SSL/TLS can be considered as a basic security precaution, hence, each social network provider or app developers should use it.

Baggili said that OkCupid’s chat application is used by about 3 million users but the app does not encrypt chats over SSL. On using a traffic sniffer, researchers have found that the app could be used to see the text that was sent and received. Baggili stated that he and his team have tried contacting the developers of the apps they’ve tested, but it was of no use. This clearly depicts that the developers are aware of the bugs their apps are currently having, and they don’t want to respond to the issues.

Conclusion


Since, nearly a billion users of almost two dozen popular iOS and Android apps are jeopardizing their data privacy, it’s quite clear that the app’s data isn’t safe at all. Many users exchange and share a lot of things including data, pictures, text messages, or even audio, which isn’t encrypted properly, hence, turns as loopholes for severe cyber attacks. No data encryption simply means that passwords are sometimes left in plain text, transmissions can be seen clearly, and a shared file lies unprotected on the company’s servers. Therefore, it is recommended to check user or tech reviews about the app before actually installing and start using it on your devices. Apps development companies should pay attention towards user’s security and privacy to avoid several major user protection issues.

No comments:

Post a Comment