Who else is enjoying your coffee break? Researchers have called for app developers to use secure internet connections to prevent hackers sniffing private information posted over public Wi-Fi networks. Photo: Jamie Brown
MOSCOW: Many smartphone app developers are not using encrypted protocols to secure the apps they create, leaving users vulnerable to being hacked when they connect to public Wi-Fi networks, researchers say.<
Stefan Tanase, senior security researcher at Kaspersky Lab and based in Romania, said that up until recently the popular messaging app Whatsapp was among the many apps available on app stores, including Google's Play and Apple's App Store, not using any encryption to protect its users from hackers. He said many others continued to use no encryption at all.
Internet users have been able to identify for some time whether a website is using an encrypted connection by looking for a golden padlock in the browser address bar or lower right corner of the page, or the letter "s" after the internet address prefix "http". But smartphone users can't tell if their favourite app uses such encrypted channels.
"The reality is that we have to connect to these [public, unsecured Wi-Fi] networks," Mr Tanase said. "But what [people] don't understand is that many of the applications are actually still using insecure communications protocols. This leaves [users] vulnerable to things like session hijacking or stealing [of] user name or password or the contents of [their] communications."
The issue of insecure connections came to light in 2010, when Firesheep, a Firefox add-onallowed others to sniff data traffic. Before Facebook and Twitter introduced secure connections to their sites, it was possible for hackers using such packet sniffing tools to capture in plain text what others were posting online via a webpage.
Mr Tanase said this was still possible when people used apps to post photos, status updates and other private information online.
A developer choosing to use the unencrypted version of HTTP or FTP - internet and file transfer protocols - in their apps can expose users' private data, he said.
"Whatsapp is a fairly popular application but what not many people are not aware of is that up until [recently] Whatsapp was doing everything in an unencrypted way," Mr Tanase said.
"So anyone who was sniffing [a Wi-Fi] network [that a Whatsapp user was connected to] was able to see the contents of your [messages]."
Yahoo Messenger was another example still transmitting user messages using an unsecured connection, he said. "[But] in reality there's ... many, many [more] apps," he said. "You see these problems coming from famous and trusted developers. I don't even want to think about how many of the lesser known apps have [unencrypted] plain text protocols embedded in them."
Sign up for CIO Asia eNewsletters.