Risky Apps


RISKY APPS: Bitcoin Wallet / Bitcoin Tapper

Published on March 13, 2014 Appthority Security Team, Lead by Kevin Watkins, Chief Architect

Bitcoins - It’s been in the news lately, touted as the new online currency. But how secure are the popular Bitcoin mobile apps for Android? To try to answer this question, Appthority took a look at a few popular apps on Google Play, including Bitcoin wallets and and other Bitcoin related apps.

Bitcoin apps are, for all intents and purposes, financial apps and should be held to similar standards as banking and other financial services related mobile apps. Transactions of value take place, and in the case of bitcoins, the identity and authentication of the user behind the transaction is their “private key.” If this key were obtained, transactions can be made on the users behalf.... Read More »

iPharmacy: UPDATE February 2014

Published on February 05, 2014 Appthority Security Team, Lead by Kevin Watkins, Chief Architect

iPharmacy:  UPDATE February 2014

In December of 2013, Appthority posted a Risky App Alert on the iPharmacy app.  Appthority had determined that this app had exhibited risky privacy behaviors.

Now, we're delighted to report that the latest version of iPharmacy has fixed those risky app behaviors.  The developer of iPharmacy took these issues seriously, and worked closely with Appthority to verify the behaviors and to remediate them in a timely fashion. 

As a result, the revised Android version of the app is now available for download on Google Play:  https://play.google.com/store/apps/details?id=com.sigmaphone.topmedfree&hl=en

... Read More »

The Coupons App – Android Coupons App Leaks Your Personal Information To Everyone

Published on January 08, 2014 Appthority Security Team, Lead by Kevin Watkins, Chief Architect

In this bad app report we’ll be looking at one of the most popular coupon apps for Android, and how it shares private data it collects from mobile devices. This app also illustrates how privacy issues can extend beyond just the servers used by the app from using HTML5, by mishandling private data, they have inadvertently “leaked” it to other public web sites. In this case, we observed the mobile phone number, e-mail, device ID, and other private information being sent to Amazon and other sites that came up in the app’s “search” feature.... Read More »

RISKY APPS: iPharmacy Drug Guide

Published on December 11, 2013 Appthority Security Team, Lead by Kevin Watkins, Chief Architect

ipharmacy logoThis Risky Apps Alert examines analysis findings for one of the most popular pharmacy pill identification apps, iPharmacy Drug Guide. For an app that has earned a top developer award from Google Play, Appthority found it to be one of the top offenders when it comes to risky privacy behaviors for apps in the health or medical category.

For example, if this app is run while the user is on insecure or public WiFi, anyone would be able to see what specific prescription drugs the app user is searching for. Further, if they use the medical reminder feature, what specific drugs the user is taking or being reminded to take will also be available for public viewing. ... Read More »

RISKY APPS: Private User Data Exposed by Super Backup & Tube Map Live Underground

Published on November 12, 2013 Appthority Security Team, Lead by Kevin Watkins, Chief Architect

This Alert features two risky apps – a popular backup app used on Android and a transit app for the London Tube.

Super Backup, a popular backup utilities for Android (with over a million downloads) exhibit risky behaviors by storing data backups to the sdcard. This exposes the user's private data to other apps, as data on the sdcard is generally insecure. This is even more risky when an app and the app data is backed up, as the app data contains private saved data, passwords, and access tokens. Appthority also demonstrates how to extract the private access token for Facebook from the backup data.

Also featured is a travel app for the London Tube known as "The Tube Map Live Underground." The app is available on three platforms – BlackBerry, iOS, and Android. We scrutinized each app on it’s respective platform and then show how a risky behavior (transfer of user credentials which contain username, password and card number) can be present across platforms.... Read More »

RISKY APPS: Calculate by QxMD -- App For Doctors Sends Unencrypted Data

Published on October 30, 2013 Appthority Security Team, Lead by Kevin Watkins, CTO

This alert covers Appthority's findings around apps that fall in the medical - health care category; specifically, apps that are targeted to be used by people in the medical field and utilize private patient or customer data. In this case, we're reviewing Calculate by QxMD, an app in the Google Play app store. Calculate by QxMD has been downloaded over 100,000 times (100,000 to 500,000), and from its description is "a next-generation medical calculator and decision support tool, freely available to the medical community." ... Read More »

RISKY APPS: Vulna -- A Vulnerability Found in Popular Mobile Ad Libraries Used by Android

Published on October 14, 2013 Kevin Watkins, Co-founder and CTO and Marjan Yahyanejad, Senior Member of Technical Staff

Security researchers have discovered a vulnerability with malicious capabilities in popular mobile ad libraries used by Android. This vulnerability is being called “Vulna.” A mobile ad library is third-party software that is included in the host app and typical not visible to the end user of the app. In this case, the software is employed in order to display advertisements within an app. The ads manifest, for example, as banner advertisements that display when an end-user gets to certain levels of their favorite gaming app. App developers will often include one to two ad network’s software in their apps in order to make money every time a user / gamer sees an advertisement in the app. Normally, not malicious.... Read More »

RISKY APPS: Signedoc

Published on October 13, 2013 Appthority Security Team, Lead by Kevin Watkins, CTO

Signedocs stores documents on your SD card. "This exposes private documents that can be picked up from other untrusted applications and used for data exfiltration. Signedocs also stores your password in plaintext on your device.

Worst of all, the documents you sign with Signedoc are stored online in a public server. The file name is hashed and obfuscated, so guessing the URL for the documents would be difficult if not impossible. But there's also no authentication in place to verify that only authorized people are looking at your documents. We've seen similar, though more pressing issues, with messaging apps in the past.... Read More »

RISKY APPs: Postagram Postcards - Images Can Be Used to Locate You

Published on September 23, 2013 Appthority Security Team, Lead by Kevin Watkins, CTO

This report covers Appthority's findings around apps that share your private photos on the app markets. For most of these apps, we think that when we share the app with someone else, the photo is protected from other prying eyes. We have found that this isn’t the case with some of the popular photo sharing apps. The apps are posted on a server, with predictable names that open the apps to anyone that wants to randomly peruse pictures that are shared for a particular photo sharing app. Add services such as the Google “Search by Image” feature (http://images.google.com/imghp) make private images less anonymous, where your image can be used to find your online presence on Facebook, Twitter, LinkedIn, etc.... Read More »

RISKY APPS: Boyfriend Tracker, “SMS, Whatsapp & Locate Spy”, SpyBubble

Published on September 16, 2013 Appthority Security Team, Lead by Kevin Watkins, CTO

This report covers some of Appthority's findings around spyware apps that exist in the app markets. Spyware is an application that silently runs in the background, with behaviors that access, records, and share private information. This includes tracking the mobile device user, recording phone activity, chat logs, e-mail, mobile pictures, and even silently streaming video and audio over the network to a server. Appthority has observed spyware packages that take advantage of jailbreaked and rooted devices, gaining the ability to “spy” on other apps that are installed on the mobile device. These apps include FaceBook, Skype, Whatsapp, and Viber. This is an added level of sophistication by spyware apps, showing they are increasing in sophistication and spreading from just the usual private data (call logs, sms, etc) we’ve seen in the past. The three apps we will shine a light on are “Boyfriend Tracker” (loader app on Google Play for the spyware app MSpy), “SMS, Whatsapp & Locate Spy” (loader app on Google Play for the spyware app SpyToMobile), and the popular spyware app SpyBubble. ... Read More »