You, like many Internet users, probably use your Facebook, Google, Twitter, or Microsoft account to log in to a wide variety of apps and websites using what’s called a social login. Social logins enable you to use your existing login information from a social network or service to gain access to a third-party app instead of creating (and having to keep track of) a new account specifically for the new app or website.
Social logins offer the benefit of speed and convenience. But if the services where you use them don’t protect your login information, they can make your information easy for hackers to steal.
AppBugs, the firm behind technology that scans Android apps for security vulnerabilities, recently posted on its blog that there are mobile apps that combine to account for more than 80 million downloads that don’t properly handle users’ information, and therefore expose users’ accounts and data. If you use your credentials for Facebook, Google, Twitter, Microsoft, or a number of other services to log in to any of the following apps, your information is being exposed:
- Astro File Manager with Cloud
- Windows Live Hotmail Push Mail
- Brother iPrint & Scan
- Software Data Cable
- FriendCaster Chat
- PrintHand Mobile Print
- Phone for Google Voice & GTalk
- FoxIt MobilePDF
- WonderShare PowerCam
- ES File Explorer File Manager
As noted on a separate AppBugs page on social plugin vulnerabilities, apps that aren’t able to correctly verify the SSL certificates that are sent from web servers enable “a man-in-the-middle attacker is able to use a fraudulent certificate to decrypt the traffic to obtain sensitive data such as username and password without being detected.”
The vulnerable apps that AppBugs lists all support social logins with accounts from Facebook, Google, and others, which means that your credentials for those major services can be compromised. User accounts affected by social logins in one or more of the vulnerable apps include: Baidu, Box, Douban, Dropbox, Evernote, Facebook, Google, Instagram, Microsoft, Renren, Sina, SugarSync, Tencent, and Twitter.
To get around the vulnerability, AppBugs recommends that users create accounts directly with the mobile apps, and choose a unique username and password for these services. The firm also advises that there are likely other mobile apps that can leak your Facebook, Google, Twitter, or Microsoft account credentials. So it recommends downloading the AppBugs app, which will detect the apps on your device that can be easily hacked.
As Dylan Tweney at VentureBeat notes, because the apps’ security problems stem from the way they handle SSL certificates, the flaws make it possible for an attacker to use a forged SSL certificate, and enables the hacker’s own server to receive the user’s login credentials. Rui Wang of AppBugs told Tweney that there is no single cause of the vulnerabilities in the apps.
In later versions of Android, “developers can work around this issue by implementing their own client certificate validation techniques when using WebViews,” Urban said. But as Tweney notes, that requires developers to understand how client certificate validation works — a complex topic that not all developers with apps in the Play Store are able to sufficiently address.