What can go wrong if I order Pizza Hut from my Android device?
Due to a well-publicized bug found in over 100 Android apps, when ordering Pizza Hut via the Android app the user’s password was exposed and easily could have been intercepted by a hacker. If you are like many people, you use the same username and password combination for many sites. Once a hacker has this combination of username and password, they will try to use it other places too. Usually starting with the highest potential value sites like investment and banking.
What other apps risk my privacy?
Some other common Android apps that share this flaw are Match, OKCupid, NBA Game Time, Vevo, WebMD, WatchESPN, IHeartRadio, Expedia, Angry Birds and the Safeway app (Safeway, Inc.). There were over 23,000 apps identified that were insecure according to US-CERT (U.S. Computer Emergency Response Team, a part of the Department of Homeland Security) which are listed here.
Highly respected security vendor FireEye reported as of July 17, 2014, that of the 1,000 most frequently downloaded apps in the Google Play Store, 68% have at least one of the SSL vulnerabilities they studied. According to Dan Goodin (ARS Technica), most of the apps still had the bug over 7 months after the first report.
“Wang said the NBA app requires an NBA League Pass Account, which according to this official NBA video costs $199. He said his company reported the vulnerability to the app developer in late February but never got a response. The developers of the Match.com, Safeway, and Pizza Hut apps, as well as more than 50 other apps, similarly failed to respond. In all, Wang said he discovered 100 apps that didn’t HTTPS-protect login credentials, only 28 of which have since been fixed.” (ARS Technica article). This flaw existed for so long, was publicized extensively and studied in many ethical hacking classes. It’s still a threat because people tend to use the same passwords for a long time.
So what can I do about it?
If you’ve used any of these apps, change your password immediately. If you use that password on other sites, change it there too. Keep in mind that hackers sometimes collect info for a while, before taking action with it. Just because you haven’t had your account drained yet doesn’t mean you are safe.
According to an article published in The Telegraph (a U.K. publication) by Cara McGoogan; ‘More than 50% of people use the top 25 most common passwords, according to password manager Keeper, with a significant 17% – almost one in five – of all users having “123456” as their protective code’. The 25 most common passwords are in this article, so make sure not to use them. The article also provides advice on picking strong passwords, so consider that when creating new ones.
What can I use to help protect my passwords?
Consider using different passwords for important sites like financial vs. less important sites like gaming and social media. Another option is to consider using an app like Norton Identity Safe to store your user IDs and passwords. However, choose a very strong password to protect it. That way you can use different passwords for all of the sites you use without having to memorize them.
Look up the apps you commonly use in the AppBugs app to see if they have any ‘severe’ vulnerabilities and cease use of any that do. Even if the app is listed as fixed, make sure you have the fixed version installed on your device.
Lastly, take into consideration where you are when performing sensitive transactions like secure site logins in the future. The most dangerous time to log in to secure sites from a mobile device is while connected to public Wi-Fi networks. This is because a hacker is more likely to be able to gain access to view your information then.