A recent report from security firm AppBugs says a number of popular iOS and Android apps from such sources as Walmart, SoundCloud, and ESPN have been found to be vulnerable to password cracking.
… The security firm found that dozens of the most popular apps are lacking, in that they allow you to make any number of attempts to login without restriction. These clearly opens up a gap for attackers who have the means to guess those passwords and gain access to your accounts.
Ideally such apps will eventually lock a user out, or will force them to reset their password following a certain number of login attempts. This prevents brute force hacking of a login/password combination.
AppBugs says they checked the most popular apps in both the iOS and Android app stores to see how they stacked up against a brute force attack. Of 100 apps that have at least 1 million downloads – and support password-protected accounts – AppBugs found 53 apps were vulnerable.
AppBugs notified the developers of the apps and gave them 30 days to fix the security flaw before publishing the names of the apps. AppBugs today published the names of a handful of the apps, including those from ongza, Pocket,Wunderlist, iHeartRadio, WatchESPN, Expedia, Dictionary, CNN, Domino’s Pizza USA, Zillow, AutoCAD 360, Slack, SoundCloud, Kobo and Walmart.
AppBugs says only Dictionary, Wunderlist, and Pocket have fixed the problem, leaving all of the others vulnerable to brute force password cracking. The firm will announce all of the other apps on July 30th.
Hopefully, this report will spur app developers to take a closer look at how they protect logins. In the meantime, make sure you don’t use the same login/password combo on multiple sites. Always try and come up with a password that’s hard to guess. (Don’t use your mother’s maiden name, the name of pets, or your birthday.) And, use a password management app such as 1Password. That’s what we use here at MacTrast, it can generate random passwords and store them for you.