Popular iOS and Android apps from companies like Walmart, ESPN, Slack and SoundCloud have been found vulnerable to password cracking, according to a recent report from AppBugs. The security firm found that dozens of the most popular apps are lacking, in that they allow you to make any number of attempts to login without restriction. These clearly opens up a gap for attackers who have the means to guess those passwords and gain access to your accounts.
The most secure apps will force you to reset your password if you don’t enter it correctly, or they’ll lock you out after you’ve made a certain number of attempts.
AppBugs tested the most popular apps to see how they stacked up. It checked 100 popular apps which support password-protected web accounts and limited themselves to apps which had been downloaded at least 1 million times. Of those 100 apps, 53 were found to have the vulnerability.
In order to safeguard those apps, the security firm gave the developers 30 days to fix the security concern. So far, AppBugs has published the names of just a handful of those apps. Those published today include Songza, Pocket, Wunderlist, iHeartRadio, WatchESPN, Expedia, Dictionary, CNN, Domino’s Pizza USA, Zillow, AutoCAD 360, Slack, SoundCloud, Kobo and Walmart. Of that list, only Dictionary Wunderlist and Pocket have fixed the problem. The others are still vulnerable to password cracking. On July 30th, the rest of the app names currently unpublished will be made public.
On the user side, there’s very little that can be done to protect from a possible attack. We only need to look back at the iCloud attack from last year to realize that it can, and does happen. If you have a really secure password that’s hard to guess, you’re definitely less at risk. But, chances are on mobile apps, passwords are created to be easy to type and easy to remember. This, of course, makes them less secure.
Personally, I use 1Password to manage all my passwords across devices and for each new account I generate a secure password that I don’t remember. As far as being secure goes — on the user side — that’s almost all you can do. Switch on 2-factor authentication if it’s available (none of the listed apps offer that either).
FTC: We use income earning auto affiliate links. More.
Oh, by all means, let’s make passwords even more difficult to store, remember and access in an emergency! By the way, the password system is severely broken. Now, more and more of my passwords are my thumbprint.
Fact check: Slack offers 2-step verification.
https://slack.zendesk.com/hc/en-us/articles/204509068-Enabling-two-factor-authentication
This is not a vulnerability in the apps, but on the server.
Of course most of us have learned that expiring a password after a number of guesses is not a solution, because that approach opens up a huge DoS security vector. For a simple everyday example, those of us on corporate MS exchange services know what a mess a simple password change can become when thoughtless, amature security managers creates policy out of ignorance: changing your own password becomes a nightmare of lockouts.
The right solution is good passwords and to just to slow down the guessing. If you have a password with 2^64 complexity, it will take a few billion years of guesswork if an attacker can’t try to guess more than 24 times in a day.
Incorrectly, AppBugs dismisses this approach as inadequate “for those with a botnet” (completely untrue), and also incorrectly describes such an approach as a “web application firewall”.
I use LastPass for the same, and the TouchID integration as well as extensions on iOS are fantastic. However, that does bring to light one vulnerability, which is these password managers. If someone does hack them, we are all screwed.