You thought the news about banking apps was bad. Well, it's not just the banking apps...
The Starbucks mobile app, the most used mobile-payment app in the U.S., has been storing usernames, email addresses and passwords in clear text, Starbucks executives confirmed late on Tuesday (Jan. 14). The credentials were stored in such a way that anyone with access to the phone can see the passwords and usernames by connecting the phone to a PC. No jailbreaking of the phone is necessary. And that clear text also displays an extensive list of geolocation tracking points (latitude, longitude), a treasure trove of security and privacy gems for anyone who steals the phone.
IOActive have just published a report covering the security of online banking apps for mobile devices. They found that:
- 90% of the apps they tested had security vulnerabilities.
- 70% of the apps offered no support at all for two-factor authentication.
This is where a third token is used for extra security in addition to the user name and password. It could be a picture identification, a pin code, or one-time password sent via SMS (text message) to the user.
- 40% of the apps accepted any SSL certificate for secure HTTP traffic.
This is a major issue as it completely invalidates the chain of trust between you and your bank, and allows anyone to misdirect you to a phishing site, for example while you are using an untrusted network such as a Wi-Fi hotspot. The magnitude of this issue is that you cannot detect this happening, and there's nothing you can do to stop it.