Petronella Blog Archive

Visit our New Blog

Android Passwords Exposed

Blog Post

Improperly-implemented HTTPS encryption on Google Play apps has left user passwords exposed.  Some of the apps ignored using HTTPS at all.

The total number of downloads for all the apps with the faulty or negligent HTTPS protocol is greater than 200 million and includes many popular apps or the official apps of major organizations.  These include Match.com, the NBA and Pizza Hut.

The issue was discovered by AppBugs, creator of a free app that looks for other apps with security issues.  They say that apps like the Match.com one simply failed to implement HTTPS, making it as simple as being on the same wifi network as someone else to steal passwords and other information sent through the app.  Other ones, like the NBA and Pizza Hut apps, don't use HTTPS correctly.  It takes a little more effort than just not using HTTPS, but a decently knowledgeable hacker could intercept login data for the apps as well.

AppBugs says they found 100 apps with HTTPS issues, but just over 25% of them have fixed the problem.