Research Unveils Eight Android And iOS That Leaks Users Sensitive Data

The eight Android and iOS apps fail to adequately protect user data, which transmits sensitive information, such as device details, geolocation, and credentials, over the HTTP protocol instead of HTTPS. 

It exposes the data to potential attacks like data theft, eavesdropping, and man-in-the-middle attacks.

Encryption is a fundamental security measure for protecting user data, but many app developers seem to be implementing it incorrectly. 

Klara Weather and Military Dating apps pose significant security risks due to their unencrypted data transmission, where Klara Weather leaks user geolocation data over HTTP, exposing sensitive privacy information. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

Meanwhile, the Military Dating app sends unencrypted usernames and passwords, making them vulnerable to interception and compromise. This could potentially lead to unauthorized access to personal data, identity theft, or other malicious activities.

Military dating network traffic

The Android apps Sina Finance and CP Plus Intelli Serve pose significant security risks by leaking sensitive device information, including device ID, SDK version, and IMEI, over unencrypted HTTP connections. This exposes users to potential tracking and profiling. 

CP Plus Intelli Serve transmits usernames and passwords in plain text, making them vulnerable to interception and theft.

Both apps fail to implement basic security measures, such as HTTPS encryption, to protect user data, exposing users to privacy and security breaches.

CP Plus Intelli Serve code evidence of HTTP URL usage

Latvijas Pasts and HaloVPN, popular mobile apps with over 100,000 and 13,300 downloads, pose significant security risks due to their unencrypted transmission of sensitive user data.

Network traffic analysis and code inspection revealed that Latvijas Pasts leaks user geolocation over HTTP. At the same time, HaloVPN exposes device information, including device ID, language, model, name, time zone, and SIM details. 

HaloVPN network traffic

The mobile applications i-Boating: Marine Charts & GPS and Texas Storm Chasers are found to be transmitting sensitive user data over unencrypted HTTP connections. 

Specifically, i-Boating sends device information like type and OS version. At the same time, Texas Storm Chasers transmits user geolocation, which exposes users to potential security risks, such as eavesdropping and data interception, as malicious actors can easily access their personal information. 

Texas Storm Chasers network traffic

The ongoing issue of unencrypted data transmission in mobile apps poses significant security risks to users.

Developers are urged to prioritize app security by using HTTPS for all network traffic, encrypting sensitive data, conducting regular security audits, and being vigilant about user data protection.

Symantec advises users to safeguard their mobile devices against threats by installing a reputable security app, avoiding app downloads from untrusted sources, maintaining up-to-date software, carefully reviewing app permissions, and regularly backing up crucial data.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Researchers Uncovered Dark Web Operation Acquiring KYC Details

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

56 minutes ago

Adobe Warns of ColdFusion Vulnerability Allows Attackers Read arbitrary files

Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to address…

59 minutes ago

Beware of New Malicious PyPI packages That Steals Login Details

Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet's AI-driven OSS malware…

1 hour ago

Brazilian Hacker Arrested Hacking Computers & Selling Data

A Brazilian man, Junior Barros De Oliveira, has been charged with multiple counts of cybercrime…

1 hour ago

McDonald’s Delivery App Bug Let Customers Orders For Just $0.01

McDonald's India (West & South) / Hardcastle Restaurants Pvt. Ltd. operates a custom McDelivery web…

1 hour ago

North Korean Hackers Stolen $2.2 Billion From Crypto Platforms In 2024

Cryptocurrency hacking incidents in 2024 surged 21.07% YoY to $2.2 billion, with 303 breaches reported,…

1 hour ago