Many popular Android apps fail to encrypt login credentials

Using encryption to protect mobile traffic and especially the exchange of credentials between the user and company servers should be a must in this day and age. Unfortunately, there are companies that have yet to implement HTTPS encryption during logins for their mobile apps, and others that have made mistakes in implementing it, thus exposing their users to Man-in-the-Middle attacks.

AppBugs, a company that has created an app of the same name that analyzes Android apps for vulnerabilities, has recently revealed that their testing of apps on Google Play has shown that some 100 popular apps either don’t use HTTPS to protect login credentials or they do it badly. Altogether, these apps have been dowloaded by some 200 million users.

The official app for dating site falls in the first category – credentials are sent out in unencrypted form. Safeway (supermarket chain), PizzaHut, and the NBA (the US National Basketball Association) have poorly implemented encryption:

AppBugs CEO Rui Wang told Dan Goodin that they have contacted the companies who’s apps have been found wanting in the encryption department, but that only some responded, and only 28 have fixed the issue so far.

The companies mentioned earlier have yet to do something about it.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss