Thursday, June 09, 2011

Netflix, Foursquare, and LinkedIn Android apps expose your password

Failsquare

Here's a little tip for app developers: encrypt everything, especially passwords. Security firm viaForensics fed some popular iPhone and Android apps through its appWatchdog tool and found that Netflix, LinkedIn, and Foursquare all stored account passwords unencrypted. Since the results were first published on the 6th, Foursquare has updated its app to obscure users' passwords, but other data (such as search history) is still vulnerable. While those three were the worst offenders, other apps also earned a big fat "fail," such as the iOS edition of Square which stores signatures, transaction amounts, and the last four digits of credit card numbers unencrypted. Most of this data would take some effort to steal, but it's not impossible for a bunch of ne'er-do-wells to create a piece malware that can harvest it. Let's just hope Netflix and LinkedIn patch this hole quickly -- last thing we need is someone discovering our secret obsession with Meg Ryan movies.