Posted: 4 Min ReadThreat Intelligence

Unveiling Mobile App Vulnerabilities: How Popular Apps Leak Sensitive Data

A look at eight Android and iOS apps that fail to protect sensitive user data.

In an increasingly digital world, the importance of mobile security cannot be overstated. With millions of apps available on Google’s Play Store and Apple’s App Store, users trust developers to safeguard their personal information. Unfortunately, this trust is often misplaced. 

A key step in preventing unauthorized access to user data is encryption, especially when it comes to moving data from device to server and back again. If implemented incorrectly by app developers, it can expose users to a host of potential attack scenarios, including data theft, eavesdropping, and man-in-the-middle (MitM) attacks, just to name a few.

Many apps analyzed by Symantec transmit unencrypted user data over the HTTP protocol instead of HTTPS, exposing the information to anyone monitoring the session. In this blog, we detail just eight of these apps, which were found to transmit sensitive unencrypted data, including device information, geo-location, and credentials. 

App Analysis

Klara Weather (Android)

Download count: Over 1 million on the Google Play Store 

Issue: Sends location unencrypted 

Details: Network traffic analysis (Figure. 1) and code inspection (Figure. 2) reveal that user geolocation is leaked through unencrypted HTTP traffic.

Figure 1. Klara Weather network traffic
Figure 1. Klara Weather network traffic
Figure 2. Klara Weather code evidence of HTTP URL usage
Figure 2. Klara Weather code evidence of HTTP URL usage

Military Dating App - MD Date (iOS)

Rating count: 17,700 on the Apple App Store 

Issue: Sends credentials unencrypted 

Details: Network traffic analysis (Figure. 3) and code inspection (Figure. 4) show usernames and passwords transmitted via unencrypted HTTP traffic.

Figure 3. Military Dating network traffic
Figure 3. Military Dating network traffic
Figure 4. Military Dating code evidence of HTTP URL usage
Figure 4. Military Dating code evidence of HTTP URL usage

Sina Finance (Android)

Download count: Over 100,000 on the Google Play Store 

Issue: Sends device information unencrypted 

Details: Analysis of network traffic (Figure. 5) and code (Figure. 6) indicate that device information, including device ID, SDK version, and IMEI, is leaked through unencrypted HTTP traffic.

Figure 5. Sina Finance network traffic
Figure 5. Sina Finance network traffic
Figure 6. Sina Finance code evidence of HTTP URL usage
Figure 6. Sina Finance code evidence of HTTP URL usage

CP Plus Intelli Serve (Android)

Download count: Over 50,000 on the Google Play Store 

Issue: Sends credentials unencrypted 

Details: Network traffic analysis (Figure. 7) and code inspection (Figure. 8) reveal that usernames and passwords are transmitted unencrypted.

Figure 7. CP Plus Intelli Serve network traffic
Figure 7. CP Plus Intelli Serve network traffic
Figure 8. CP Plus Intelli Serve code evidence of HTTP URL usage
Figure 8. CP Plus Intelli Serve code evidence of HTTP URL usage

Latvijas Pasts (Android)

Download count: Over 100,000 on the Google Play Store 

Issue: Sends location unencrypted 

Details: Network traffic analysis (Figure. 9) and code inspection (Figure. 10) show that user geolocation is leaked through unencrypted HTTP traffic.

Figure 9. Latvijas Pasts network traffic
Figure 9. Latvijas Pasts network traffic
Figure 10. Latvijas Pasts code evidence of HTTP URL usage
Figure 10. Latvijas Pasts code evidence of HTTP URL usage

HaloVPN: Fast Secure VPN Proxy (iOS)

Rating count: 13,300 on the Apple App Store 

Issue: Sends device information unencrypted 

Details: Network traffic analysis (Figure. 11) and code inspection (Figure. 12) indicate that device information, including device ID, language, model, name, time zone, and SIM information, is leaked through unencrypted HTTP traffic.

Figure 11. HaloVPN network traffic
Figure 11. HaloVPN network traffic
Figure 12. HaloVPN code evidence of HTTP URL usage
Figure 12. HaloVPN code evidence of HTTP URL usage

i-Boating: Marine Charts & GPS (iOS)

Rating count: 11,600 on the Apple App Store 

Issue: Sends device information unencrypted 

Details: Analysis of network traffic (Figure. 13) and code (Figure. 14) show that device information, such as device type and OS version, is transmitted unencrypted.

Figure 13. i-Boating: Marine Charts & GPS network traffic
Figure 13. i-Boating: Marine Charts & GPS network traffic
Figure 14. i-Boating: Marine Charts & GPS code evidence of HTTP URL usage
Figure 14. i-Boating: Marine Charts & GPS code evidence of HTTP URL usage

Texas Storm Chasers (iOS)

Rating count: 9,200 on the Apple App Store

Issue: Sends location unencrypted 

Details: Network traffic analysis (Figure. 15) and code inspection (Figure. 16) reveal that user geolocation is transmitted via unencrypted HTTP traffic.

Figure 15. Texas Storm Chasers network traffic
Figure 15. Texas Storm Chasers network traffic
Figure 16. Texas Storm Chasers code evidence of HTTP URL usage
Figure 16. Texas Storm Chasers code evidence of HTTP URL usage

A Continuing Problem

App developers have a duty of care to the people who use their apps; however, as we have seen with these examples, whether intentional or an oversight, many developers fail to protect sensitive user data by transmitting it unencrypted. This not only breaches user trust but also exposes users to significant risks, including identity theft, unauthorized access, and data breaches. This issue is not a new one and, unfortunately, has been commonplace for far too long. 

Mobile app security is a critical concern that developers must prioritize. App developers can avoiding security risks such as those highlighted in this blog by adhering to the following best practices:

  1. Use HTTPS for all network traffic:
    • Ensure all data transmission between the app and the server is encrypted using HTTPS.
  2. Encrypt sensitive data:
    • Use strong encryption methods to protect sensitive information, such as user credentials and location data, both in transit and at rest.
  3. Regular security audits:
    • Conduct regular code reviews and security audits to identify and rectify potential vulnerabilities.

As users, we must remain vigilant and demand higher security standards from app developers. By being aware of the security practices of the apps we use, we can make informed choices and protect our personal information.

All of the organizations whose vulnerable apps were discussed in this blog have been notified about the issues we uncovered.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Symantec recommends users follow these best practices to stay protected from mobile threats:

  • Install a suitable security app, such as Symantec Endpoint Protection, to protect your device and data
  • Refrain from downloading apps from unfamiliar sites and only install apps from trusted sources
  • Keep your software up to date
  • Pay close attention to the permissions that apps request
  • Make frequent backups of important data

About the Author

Yuanjing Guo

Software Engineer

Yuanjing is a member of Symantec's Security Technology and Response team who are focused on researching and developing automation technologies in mobile security.

About the Author

Tommy Dong

Sr Princ Software Engineer

Tommy is a member of Symantec's Security Technology and Response team who are focused on researching and providing protection against current and future cyber threats.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.