UNH Cyber Forensics Group Reveals Smartphone App Issues Affecting 968 Million

The group will issue five videos -- one a day for five consecutive days – outlining the problems that include passwords available in plain text and private information stored on company servers. The videos identifying the apps will be posted beginning on Monday, Sept. 8 and continuing through Friday, Sept. 12. 

The videos can be found at http://www.youtube.com/unhcfreg and will be posted to this story.

Video 1 (Sept. 8, 2014) - Security Issues in Instagram, OKCupid and ooVoo

Video 2 (Sept. 9, 2014) - Security Issues in Tango, Kik and Nimbuzz

Video 3 (Sept. 10, 2014) - Security Issues in MeetMe, MessageMe and TextMe

Video 4 (Sept. 11, 2014) - Security Issues in Grindr, HeyWire, Hike, textPlus

"Anyone who has used or continues to use the tested applications are at risk of confidential breaches involving a variety of data, including their passwords in some instances" says Ibrahim (Abe) Baggili, assistant professor of computer science at UNH’s Tagliatela College of Engineering, and head of the cFREG.

Although all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue.

Baggili said this is especially true when there is a "man-in-the-middle attack."

Baggili said many people feel they have nothing to hide. Yet, strangers can easily tap into a variety of "private" data without informing the app user.

"It's wrong for a stranger to be able to look at your private information without you even knowing they are doing it," he says. "Depending on the app, user locations, passwords, chat logs, images, video, audio and sketches can be viewed by people invading the user’s privacy."

The security issues were discovered by the cFREG team - which includes students Daniel Walnycky of Orange, Conn.; Armindo Rodrigues of Bethel, Conn; and Jason Moore of Branford, Conn. - by running a network forensics experiment. Details of how this was done will be included in the videos.

Each of the companies that own the apps has been notified of the issues by the cFREG team.

"Most companies simply have web contact forms for support – and no way for us to contact their developers or security teams," said Baggili. "We had no choice but to use the support contact forms available on their websites, and most companies did not even respond. This exacerbates the problem – and it shows that mobile developers are still not taking security seriously."

UNHcFREG was established in fall, 2013 as part of UNH’s Department of Electrical and Computer Engineering and Computer Science, to research digital forensics, security and privacy awareness and help reduce cybercrime. Last spring, UNHcFREG discovered vulnerabilities in WhatsApp, which has 500 million users and Viber, which has 300 million users.

Baggili says individuals who use apps with security issues should be aware that their information is at risk and should run updates daily. They also should learn to run security tests on their own.

"There really is no way of knowing what these applications are doing unless you test it yourself," he says.