Friday, January 24, 2025
Homecyber securityResearch Unveils Eight Android And iOS That Leaks Users Sensitive Data

Research Unveils Eight Android And iOS That Leaks Users Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

The eight Android and iOS apps fail to adequately protect user data, which transmits sensitive information, such as device details, geolocation, and credentials, over the HTTP protocol instead of HTTPS. 

It exposes the data to potential attacks like data theft, eavesdropping, and man-in-the-middle attacks.

Encryption is a fundamental security measure for protecting user data, but many app developers seem to be implementing it incorrectly. 

Klara Weather and Military Dating apps pose significant security risks due to their unencrypted data transmission, where Klara Weather leaks user geolocation data over HTTP, exposing sensitive privacy information. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

Meanwhile, the Military Dating app sends unencrypted usernames and passwords, making them vulnerable to interception and compromise. This could potentially lead to unauthorized access to personal data, identity theft, or other malicious activities.

Military dating network traffic
Military dating network traffic

The Android apps Sina Finance and CP Plus Intelli Serve pose significant security risks by leaking sensitive device information, including device ID, SDK version, and IMEI, over unencrypted HTTP connections. This exposes users to potential tracking and profiling. 

CP Plus Intelli Serve transmits usernames and passwords in plain text, making them vulnerable to interception and theft.

Both apps fail to implement basic security measures, such as HTTPS encryption, to protect user data, exposing users to privacy and security breaches.

CP Plus Intelli Serve code evidence of HTTP URL usage
CP Plus Intelli Serve code evidence of HTTP URL usage

Latvijas Pasts and HaloVPN, popular mobile apps with over 100,000 and 13,300 downloads, pose significant security risks due to their unencrypted transmission of sensitive user data.

Network traffic analysis and code inspection revealed that Latvijas Pasts leaks user geolocation over HTTP. At the same time, HaloVPN exposes device information, including device ID, language, model, name, time zone, and SIM details. 

HaloVPN network traffic
HaloVPN network traffic

The mobile applications i-Boating: Marine Charts & GPS and Texas Storm Chasers are found to be transmitting sensitive user data over unencrypted HTTP connections. 

Specifically, i-Boating sends device information like type and OS version. At the same time, Texas Storm Chasers transmits user geolocation, which exposes users to potential security risks, such as eavesdropping and data interception, as malicious actors can easily access their personal information. 

Texas Storm Chasers network traffic

The ongoing issue of unencrypted data transmission in mobile apps poses significant security risks to users.

Developers are urged to prioritize app security by using HTTPS for all network traffic, encrypting sensitive data, conducting regular security audits, and being vigilant about user data protection.

Symantec advises users to safeguard their mobile devices against threats by installing a reputable security app, avoiding app downloads from untrusted sources, maintaining up-to-date software, carefully reviewing app permissions, and regularly backing up crucial data.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...