Most of us operate under the assumption that the apps on our phones are safe and that we can use them to do the tasks they were designed for without putting us at risk. New research conducted by mobile app security firm NowSecure suggests that isn’t the case. The company tested 250 of the most popular Android apps available in the Google Play Store and found that 70 percent of them suffered from vulnerabilities that could leave sensitive user data exposed. The findings suggest that millions of Android users could be at risk.
The findings show that vulnerabilities are widespread across nearly every category of application. However, online and brick and mortar retail apps are among the most vulnerable. Ninety-two percent of all online retail apps and more than four in five brick and mortar store apps are actively leaking sensitive customer information, according to NowSecure. Troublingly, one in six of the apps suffer from what the security company classifies as “high-risk” vulnerabilities.
One such app that was discovered to be leaking customer information belonged to Kohl’s, a leading department store retailer in the United States. NowSecure’s test of the Kohl’s app, performed in the fourth quarter of 2018, found 17 vulnerabilities and privacy risks in the service. Researchers discovered that the app transferred sensitive data in plaintext, which would open up the possibility that an attacker would be able to identify and track a user or intercept their personal information. Kohl’s has since patched the vulnerabilities and is no longer believed to be exposing user data.
BuyVia, a popular online shopping app that had more than one million downloads, was discovered to have 15 vulnerabilities. It was found to be leaking personally identifiable information that could be intercepted by a bad actor and used in phishing attacks. At the time of publication, the BuyVia app is no longer available in the Google Play Store.
Outside of retail, the travel category saw the next highest rate of vulnerability. NowSecure found that two out of three travel apps (67 percent) are leaking customer information. Because travel apps can contain a wide range of sensitive information, including passport information, payment methods and forms of identification. One offender in the category that NowSecure disclosed was AirAsia. The app for the low-cost, international airline based in Malaysia suffered from 11 vulnerabilities, including one that leaves the app highly susceptible to man-in-the-middle attacks that would allow a malicious actor to intercept user information. NowSecure warned that highly confidential information could be exposed by these security flaws. More than one million people have installed the AirAsia app on their device and could be at risk.