Cyber users nowadays have become more regular as posting comments,
texts, pictures, and other shared files over social networks is a common
practice now. But have you ever thought about the safety and privacy of the
content you’ve uploaded? Do you actually know that whether social network
servers delete your stuff after sharing it with your desired cyber user? If no,
then you might get shocked to know that you’ve already kept your online data privacy at stake. According
to a new study, it is revealed that the Instagram, Grindr, OkCupid and many
other popular Android apps
failed to protect their users’ data.
The
research presented by University of New Haven’s Cyber Forensics Research and
Education Group (UNHcFREG) claims that several Android apps put user’s data privacy at stake. This research group became
popular for finding vulnerabilities in WhatsApp and Viber earlier in this year.
The
group has expanded their research and has targeted a broader range of Android applications this
time. Researchers found that various Android applications could put data at risk, hence, compromise
user’s safety and privacy, at large. The group also stated that they will soon release
a video on their YouTube channel highlighting their findings, which can affect around
1 billion users.
Ibrahim
Baggili, UNHcFREG’s director and editor-in-chief of the Journal of Digital
Forensics, Security and Law, stated that “What we really find is that app
developers are pretty sloppy.” Baggili was quite disappointed with the results
of the research and stated that users don’t have any clue about how majorly
they can get affected.
The
researchers took advantage of the traffic tracking tools like Wireshark and
NetworkMiner, to access the data that was exchanged, when several actions were
performed. A close study on the entire process revealed how and where
applications were storing and transmitting data and how dangerous it could be,
if it reaches into wrong hands.
To
showcase the amount of loss a user will be facing, Facebook’s Instagram
application was tested by the researchers. It was found that the application
still had images sitting on its servers that were unencrypted and can be accessed
without authentication. They tested several other apps like such as OoVoo,
MessageMe, Tango, Grindr, HeyWire and TextPlus and found the same problem in
these applications as well.
On checking the codes, it was found that these services were storing
the content with plain ‘http’ links that were later forwarded to the
recipients. But the problem that persists is that if anybody gets access to
this link, then the image that was sent over the network can be easily traced. In
a solution to this problem, Ibrahim Baggili suggested that either the services
should ensure speedy deletion of images from their servers or they should
restrict its access to authenticated users.
The
research revealed that many chat apps including OoVoo, Kik, Nimbuzz and MeetMe,
don’t encrypt chat logs on the device, hence, carries a greater risk if someone
loses their device. Baggili commented on the issue that “Anyone who gets access
to your phone can dump the backup and see all the chat messages that were sent
back and forth.”
Another
significant finding during the research was that a number of applications
either don’t use SSL/TLS (Secure Sockets Layer/Transport Security Layer) or use
it insecurely. Each app is provided with a mandate guideline to use digital
certificates to encrypt data traffic, but many of them void it and put user’s
data at stake.
By
intercepting unencrypted traffic, a potential hacker can easily bring
man-in-the-middle attack into action. If the victim is using a Wi-Fi connection
in a public place, then it will be of huge risk. Proper usage and maintenance
of SSL/TLS can be considered as a basic security precaution, hence, each social
network provider or app developers should use it.
Baggili
said that OkCupid’s chat application is used by about 3 million users but the
app does not encrypt chats over SSL. On using a traffic sniffer, researchers
have found that the app could be used to see the text that was sent and
received. Baggili stated that he and his team have tried contacting the developers
of the apps they’ve tested, but it was of no use. This clearly depicts that the
developers are aware of the bugs their apps are currently having, and they
don’t want to respond to the issues.
Conclusion
Since,
nearly a billion users of almost two dozen popular iOS and Android apps are jeopardizing
their data privacy,
it’s quite clear that the app’s data isn’t safe at all. Many users exchange and
share a lot of things including data, pictures, text messages, or even audio,
which isn’t encrypted properly, hence, turns as loopholes for severe cyber
attacks. No data
encryption simply means that passwords are sometimes left in plain text,
transmissions can be seen clearly, and a shared file lies unprotected on the company’s
servers. Therefore, it is recommended to check user or tech reviews about the
app before actually installing and start using it on your devices. Apps
development companies should pay attention towards user’s security and privacy
to avoid several major user protection issues.
No comments:
Post a Comment