Android

It's not just banking apps...

You thought the news about banking apps was bad. Well, it's not just the banking apps...

The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.

So You Thought Your Personal Banking App Was Secure...

IOActive have just published a report covering the security of online banking apps for mobile devices. They found that:

  • 90% of the apps they tested had security vulnerabilities.
  • 70% of the apps offered no support at all for two-factor authentication.
    This is where a third token is used for extra security in addition to the user name and password. It could be a picture identification, a pin code, or one-time password sent via SMS (text message) to the user.
  • 40% of the apps accepted any SSL certificate for secure HTTP traffic.
    This is a major issue as it completely invalidates the chain of trust between you and your bank, and allows anyone to misdirect you to a phishing site, for example while you are using an untrusted network such as a Wi-Fi hotspot. The magnitude of this issue is that you cannot detect this happening, and there's nothing you can do to stop it.

Here's one for the wi-fi worry warts ...

As if you didn't have enough things to worry about, check out Michael Horowitz's article at Computerworld:

Google knows nearly every Wi-Fi password in the world

If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide.

Oh, and change your wifi passwords now. You'll be completely safe until the next device logs in...