TAX PREP HAS GONE MOBILE
Even though the this year’s tax filing deadline is 3 days later than usual (April 18th, thanks to Emancipation Day holiday falling on the traditional deadline April 15th), a lot of people are probably scrambling to file their taxes at the last minute. As with most things in life, like shopping, gaming, and even dating, tax preparation has gone mobile. As consumers rush to their favorite app store to download the latest tax app, Appthority decided to take a look at popular tax season apps and assess them for risky behaviors. In tax apps, risky behaviors can be especially dangerous since these apps can collect sensitive information like Social Security Numbers, earnings details, birth dates, other personal information, and dependent information.
In our analysis, we looked at popular Android and iOS tax apps for risky behaviors such as:
- Having security vulnerabilities (including not following secure programing best practices)
- Exhibiting privacy invasive behaviors, such as collecting and transmitting PII (Personally Identifiable Information)
- Data exfiltration risk, such as transmitting sensitive data without encryption, sharing users’ location with third parties, etc.
WHAT WE FOUND
Low Risk: The following apps did not follow secure programming best practices. In these instances, they Disclosed File-Paths to the Source Code, aka “airing their dirty laundry”. This means that the app developer, or the developer of one of the third party SDK (software developer kit) used by the app, forgot to delete source code information of the app before it was compiled. This leaves the developer’s information, or information about the developer’s workstation in the app, which could be used by an attacker to gain insight into how to attack an app, or even get information on who the app developer is to target him/her in a targeted phishing attack or even a physical attack (kidnap him/her or steal their laptop). This behavior might not be a huge risk for a consumer facing tax app… but is particularly worrisome for enterprise apps or government apps. For any app developer, using insecure SDKs can hurt your brand and reputation.
-Evernote (iOS) – (their own app’s source code)
-TurboTax (iOS) – (one of their SDK’s source code)
-Expensify (iOS) – (one of their SDK’s source code)
-Quick Tax References (iOS) – (one of their SDK’s source code)
-MyBlock (iOS) – (one of their SDK’s source code)
-IRS2Go (iOS) – (their own app’s source code, also sends YouTube traffic without encryption)
-MyTaxRefund (iOS) – (their own app’s source code)
-TaxCaster (iOS) – (one of their SDK’s source code)
Medium Risk: The following apps have a combination of risky behaviors from accessing privacy invasive information to not encrypting it properly. When data is shared without encryption, there is a risk of data exfiltration (data being intercepted by an unintended third party) when a user uses the app from an insecure public wifi like a coffee shop. For this reason, Appthority recommends encrypting all app traffic.
-MyBlock (iOS) – shares location without encryption
-ASK A CPA Tax Answers Free (iOS) – sends category data without encryption (user selects a tax category for what they want help with)
-IRS2Go (android) – shares location without encryption
Higher Risk: As previously mentioned, best practices dictate that all app traffic should be encrypted (using SSL), specially when transmitting sensitive information. The highest risks identified in tax apps were for apps that not only did not encrypt all traffic, but didn’t encrypt sensitive information such as PII (Personally Identifiable Information). Encrypting PII is very important. Without PII encryption, would be attackers can sniff the information out when a user uses the app in a shared wifi network, like an airport or coffee shop. PII includes the unique device identifier IMEI. IMEI is particularly worrisome as some modern mobile attacks need the victims IMEI or Device ID to sign a malicious side-loaded app and install it on the device. Further, there are well known exploits on some apps like TrueCaller that leave over 100 million users exposed, where, given an IMEI number an attacker can steal a TrueCaller user’s information.
-MyBlock (Android) – Sends PII unencrypted (Sends device ID/PII unencrypted)
-TaxBot (iOS) – Sends PII unencrypted (Sends device ID)
-Calculator For US Taxes (Android) – Sends PII unencrypted (Sends PII/device ID unencrypted)
Overall, the Tax Apps Appthority analyzed did not exhibit severe enough risks to warrant users avoiding them altogether during tax season but we wanted to call out the behaviors and the risks identified. These apps are developed by large companies with ample app development experience and expertise, yet Appthority’s automated dynamic analysis engines still uncovered several vulnerabilities. We suspect even more vulnerabilities can be found in lesser known apps which are not developed with enterprise grade resources.
So, while the likelihood of an exploit is low, if you’re using any of these apps, we recommend using them when connected to a secure network, rather than a public Wi-Fi. If you’re home network is not secure, we recommend securing it with a password to avoid inadvertently sharing your private information with drive by crooks.