The evidence keeps mounting that companies that put out mobile apps are not paying nearly enough attention to security. Even big companies with large and experienced IT staffs are guilty. In fact, the latest evidence suggests that the iOS mobile app of the largest company in the U.S., by revenue, Wal-Mart, exposes users' passwords, account names and email addresses, as well as many geolocation details. The retailer is famously IT-savvy and is said to owe much of its success to what goes on in the back office.
Wal-Mart has already addressed many of the issues raised by Daniel Wood (CISSP, GPEN), an independent penetration tester, and says it is fixing the geolocation problem.
Wood conducted the testing at the request of Computerworld. He also spotted security failings in Walgreens' iOS mobile app.
The Wal-Mart app also displays an extensive list of recently viewed and/or scanned products, which could prove quite embarrassing if viewed by a co-worker, date or relative. ("Stocking up on condoms, Father Smith?" And even worse, from an IT perspective, information saved unencrypted in the app reveals password access to a Wal-Mart development server along with information about the app's developer — including account name — that any fraudster who uses social-engineering techniques would find useful.
The list of large companies — including Starbucks, Delta, Facebook, Match.com and eHarmony -- whose Android and/or iOS mobile apps have been found to reveal far more information than the companies knew has been growing. Besides Wal-Mart, we can now add Walgreens to the list. Its iOS app's Pill Reminder function encourages shoppers to photograph their prescriptions, but it seems that those images are stored unencrypted and available to anyone. The app also stores the full name and user ID of customers, not encrypted but encoded (Base64) — which can be easily unencoded and accessed. Walgreens plans to fix both security holes within days, said Abhi Dhar, chief technology officer for e-commerce at Walgreens.
Dhar said Walgreens had expected shoppers to take pictures of prescribed pills — showing an orange circular pill or a blue rectangular capsule, for example — but many have been photographing the prescription labels. When executives realized that, he said, they knew Walgreens needed to up its security.
The unencrypted information stored in the Wal-Mart app is instantaneously available on any device that isn't protected by a password. Most mobile devices can be locked with a four-digit PIN, but that's hardly state-of-the-art security. Unlocked phones can be grabbed, as can locked phones whose PINs have been keyed in. PINs can also be shoulder-surfed. And of course a cyberthief could simply break the PIN through brute force, using tools like Fireeye or Cellebrite.
Sign up for CIO Asia eNewsletters.