Research uncovers eight Android and iOS devices that leak sensitive user data

The eight Android and iOS apps do not adequately protect user data because sensitive information such as device details, geolocation and login credentials are transmitted over the HTTP protocol instead of HTTPS.

This leaves the data exposed to potential attacks such as data theft, eavesdropping, and man-in-the-middle attacks. Encryption is a basic security measure to protect user data, but it seems that many app developers implement it incorrectly.

Eight Android and iOS apps

1. Klara Weather (Android)
2. Dating app for military personnel – MD Date (iOS)
3. Sina Finance (Android)
4. CP Plus Intelli Serve (Android)
5. Latvian Pasts (Android)
6. HaloVPN: Fast, secure VPN proxy (iOS)
7. i-Boating: Nautical charts and GPS (iOS)
8. Texas Storm Chasers (iOS)

The apps “Klara Weather” and “Military Dating” pose significant security risks due to their unencrypted data transmission. Klara Weather discloses users’ geolocation data via HTTP, thereby exposing sensitive data protection information.

The Military Dating app, on the other hand, sends usernames and passwords unencrypted and is therefore vulnerable to interception and compromise, potentially leading to unauthorized access to personal information, identity theft, or other malicious activities.

The Android apps Sina Finance and CP Plus Intelli Serve pose significant security risks because they share sensitive device information such as device ID, SDK version and IMEI over unencrypted HTTP connections, thereby exposing users to potential tracking and profiling.

CP Plus Intelli Serve transmits usernames and passwords in plain text, making it vulnerable to interception and theft. Both apps do not implement basic security measures such as HTTPS encryption to protect user data, leaving users exposed to privacy and security breaches.

Latvijas Pasts and HaloVPN, popular mobile apps with over 100,000 and 13,300 downloads respectively, pose significant security risks due to the unencrypted transmission of sensitive user data.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

By analyzing network traffic and reviewing the code, it was found that Latvijas Pasts leaks user geolocation over HTTP, while HaloVPN leaks device information such as device ID, language, model, name, time zone, and SIM details.

The mobile applications “i-Boating: Marine Charts & GPS” and “Texas Storm Chasers” transmit sensitive user data over unencrypted HTTP connections.

Specifically, i-Boating sends device information such as type and operating system version, while Texas Storm Chasers transmits the user's geolocation. This exposes users to potential security risks such as wiretapping and data interception, as malicious actors can easily access their personal information.

The ongoing problem of unencrypted data transmission in mobile apps poses significant security risks to users. Developers are urged to prioritize app security by using HTTPS for all network traffic, encrypting sensitive data, conducting regular security audits, and keeping user data protection in mind.

Symantec advises users to protect their mobile devices from threats by installing a proven security app, avoiding app downloads from untrusted sources, keeping software up to date, carefully reviewing app permissions, and regularly backing up important data. This can significantly reduce the risk of a mobile device being compromised.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial