Some Android apps stink at securing user data

While the bulk of mobile security research is focused on intentionally malicious apps, it’s the benign ones that you should really be afraid of.

That’s the latest conclusion made by Android security researchers, who found that dozens of Android apps had lax security that exposed user data to theft, Ars Technica reports.

At the core of the researchers’ exploits are so-called “man-in-the-middle” attacks, which steal data by piggybacking on compromised WiFi networks. Once users connect to them, hackers can strike, intercepting poorly encrypted data such as banking information, log-in credentials, emails, and instant message transcripts.

These 40 or so apps, researchers say, are used by as many as 185 million people, few of whom are aware of the issues. Fortunately for app makers, the researchers were kind enough not to share the names of these insecure apps, which isn’t exactly helpful to those Android users who might have them installed.

Much of the problem, the researchers say, lies in poor implementation of encryption protocols by app developers, who they say aren’t as focused on data security as they should be. The solution? Google has to do a better job of enforcing more stringent security measures, the researchers say.

But what about iOS? While the researchers focus on Android, it’s possible that iOS apps are also exposed to these same security holes. That’s because the issue is larger than the operating system: Any app using poor encryption is vulnerable to the same problems, regardless of the platform it’s on. That’s why the app approval process is so important.