Rating: Names, names and Leads 360 is an offender
It’s not that often that you actually find a software house willing to name names, but it appears that Bitdefender – which supplies antivirus solutions for iOS, is brave enough. It claims that Leads 360 features a major security flaw. This is more than a tad worrying since Leads 360 has not only made its way onto the Apple iTunes App Store – it also boasts a pretty high rating of 4+ (out of 5). The study by Bitdefender not only reveals that a large number of iOS apps broadcast unencrypted data but some track an Apple device’s UDID, (Unique Device Identifier) too. This is despite Apple’s advice to developers that should switch to away from UDIDs and use less intrusive IDs in their apps. (See our previous story here).Bitdefender points the finger at another popular iOS app – Mountainbike Lite.
Following a recent update, this app has implemented tighter security by encrypting data stored on the device.
Before the update, Mountainbike Lite account credentials were broadcast without being encrypted.
This was a security risk as many users have the same credentials for multiple accounts on various networks.
However, Mountainbike Lite still collects the user’s UDID and uploads it to its server. No explanation is given as to how or why it’s used.
Although many apps legitimately access services such as social networking and location tracking, developers also have access to a significant amount of personal data that can easily be accessed and collected.
Why should you worry? Well it is relatively easy for an unscrupulous owner of a Wi-fi hotspot where – with minimum technical know-how, anyone can easily collect personal data.
Sending passwords in plain text makes such an attacker’s job very easy indeed.
These users then become vulnerable to further data loss from other accounts because frequently they tend to use the same IDs and passwords.
“Fortunately, iOS developers regularly update their apps with security fixes – not simply with new features and polished user interfaces. They are not to blame if users connect to unsecure Wi-Fi networks or use the same login credentials on all their accounts,” argues Catalin Cosoi, chief security researcher with Bitdefender.
He adds, “From a technical point of view, apps behave as they should, but users need to be aware that developers might not always take the proper measures to secure users’ privacy.”
What Bitdfender forgot to say is whether it warns those running its security software on an iOS device are actually warned when an app suddenly starts broadcasting their data without encryption.
© Dollargate Publishing 2012. All rights reserved.