Most Mobile Apps Fail Password Security Test

Among popular Android and iOS consumer apps, 76% store user names as plain text, study finds.
Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
How safe is data stored on smartphones? Not very. In fact, 76% of popular consumer applications running on Android and iOS devices store usernames as plaintext, and 10%--including Hushmail, LinkedIn, and Skype--store passwords as plaintext.

That's according to a recently released report from digital forensics and security firm viaForensics. For the study, viaForensics researchers evaluated 100 popular consumer applications that run on Android, as well as Apple's iOS operating system, covering iPhone, iPad, and iPod Touch devices.

The firm's application assessments found that numerous applications store data, including usernames, as plaintext on devices. Why is that an issue? "Many systems require only username and password, so having the username means that 50% of the puzzle is solved," said the report. "In addition, people often reuse their usernames so it will generally work on many online services."

Arguably worse, however, is when applications fail to encrypt even more sensitive information, such as passwords. "Sensitive data stored on mobile devices poses a risk to consumers, because devices are frequently lost or transferred, and because malware could potentially grab the data," according to viaForensics. "Some risks--such as stored passwords or credit card numbers--are clearly greater than others."

When it comes to the security of mobile consumer applications, tested social networking applications fared the worst, with 74% earning a "fail," indicating that sensitive data, such as passwords or account numbers, was recovered. According to the report, "the recovery of the sensitive data places the user at a significant increased risk for identity or financial theft."

Other application categories fared better, including productivity apps (43% failed), mobile financial apps (25% failed), and retail apps (14% failed). While the retail application failure rate looks low, no retail applications actually passed the test. Instead, most got a "warn" rating, indicating that that the application's data was present on the smartphone, but not encrypted.

Which individual applications make the list of shame? On both Android and iOS, applications that store sensitive data insecurely include Hushmail, LinkedIn, Skype, and WordPress. Meanwhile, on Android alone, applications that store sensitive data insecurely include Android Mail (for Exchange and Hotmail), Gmail, Netflix, and Yahoo Mail. For just iOS, meanwhile, applications that store sensitive data insecurely include Chase (for banking) and iPhone Mail (Exchange and Gmail).

Numerous other applications, however, also store non-sensitive data in unencrypted format, including mobile software from, Best Buy, Facebook, and Twitter.

Of course, all of the above applications rely at least in part on the underlying operating system to remain secure. Accordingly, which is more secure: Android or iOS? In general, however application developers handle data, users of iOS devices appear to have better out-of-the-box protection, said viaForensics. "It would be a fair generalization to say that so far, Apple has made more efforts toward data protection in their iOS platform, compared to Android. However, users do still face risks due to malware that can compromise the device, or data recovery from lost/stolen devices."

That said, changes are afoot. Google released Android version 3.0, aka Honeycomb, earlier this year. Notably, the operating system will encrypt the user partition on Android devices. But so far, it's only available for tablets--not smartphones.

Therefore, "if the person who acquires a lost/stolen phone, or a malware program, can gain root access on an Android device, they then have full access to the user partition and its data," according to the report.

Apple's iOS isn't bulletproof--or standing still--either. Apple upgraded its mobile operating system with better encryption as of the 4.0 version, released in June 2010. But earlier this year, forensics researchers and toolmakers cracked the iOS data security scheme, and released automated tools that can recover much of the information stored by iOS devices, providing they can crack the device's password.

In other words, the security of an iOS device is very much up to its owner. "If the phone user does not activate data protection by setting a passcode, the files are not fully protected," according to the viaForensics report. "Furthermore, various tools exist to uncover the user's passcode with varying degrees of success depending on the strength of passcode used."

On the "which is more secure?" front, viaForensics isn't alone in its assessment. According to Gartner Research VP and research fellow John Pescatore, Apple iOS and RIM BlackBerry devices offer levels of security beyond what's available on Android, simply because of the extent to which Apple and RIM control their mobile operating system environments.

Android, however, has bucked that trend, with its anything-goes application and operating environment ethos, which recalls Windows. "Droid came out and tried to go back the wild, wild days of the PCs (any hardware! many versions of the OS! no restrictions on apps!) and immediately got hit by malware, and the market has already said 'hey, where's your App Store??' and Amazon and others have already started to offer App Stores for Droid," said Pescatore in a blog post.

"As that illustrates, the market is driving smartphones in a much safer direction," he said. "The trick is for IT to be able to react and embrace this trend, vs. fight it and try to apply old-world PC thinking to how these new devices should be managed and secured."

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing