Personal Information at Stake in Enterprise Mobile Apps
August 22, 2013
By Jack Walsh

There have been several reports this year indicating that many popular, free apps and a surprising number of the most popular paid apps – either Android or iOS – are not good at safeguarding sensitive information.  From contacts to calendars, an amazingly high percentage of app developers don’t seem concerned with protecting your sensitive information. 

Even so, there are apps that accidentally, spectacularly, and unexpectedly transmit your sensitive information. Take Tumblr (now part of Yahoo!) for example.

Tumblr admitted on its blog that its iOS app was sending user passwords in the clear: A user would start the app and logon. As he/she did, the user’s password was sent unencrypted over the network. Those sharing an unprotected WiFi network with the user, such as those in many hotel lobbies or coffee shops, could easily capture the user’s Tumblr password.  Here you can see a screenshot of such an unencrypted traffic capture. (The actual user’s password has been altered.)

With this example, the problem was found, according to The Register, by an employee testing Tumblr for suitability on his/her enterprise’s mobile devices which brings up a good point.  While ICSA Labs strongly encourages enterprises to test their custom mobile apps for security and privacy, these same enterprises, should also examine the apps that the company permits on its employees’ devices. With such a confluence of unprotected and untested apps on employee smartphones and tablets, there are just too many opportunities for malware to enter the enterprise or for sensitive employee and proprietary information to exit.


Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>

More information about formatting options

This question is for testing whether you are a human visitor to prevent automated spam submissions.
Enter the characters shown in the image.