Here's some bad news for Android users. Security researchers have discovered 100+ more apps that fail to encrypt
your login data properly, making it frightfully easy for hackers to
steal your password. What's worse: the vast majority of the app makers
aren't doing anything about it.
The specific issue, an HTTPS vulnerability, is hardly a new problem. In fact, we've known for years that Android apps are susceptible to this issue, and that it puts users' private information in jeopardy. So it's not really news that it's still around.
What might surprise you is that the list of affected apps includes include popular services like Match.com, NBA Game Time, Safeway, and-get ready-Pizza Hut. So if you've been ordering delicious hot dog pizza crust pizza from the Hut with your phone, you should change your password right now. You should also probably stop using these apps until you know they've been fixed.
Don't freak out too much: It's not all Android apps that suffer from this vulnerability. Security researchers say these apps have been downloaded over 200 million times so that's 200 million opportunities for hackers to steal passwords... but that's not a lot in the grand scheme of things.
[Ars Technica]
The specific issue, an HTTPS vulnerability, is hardly a new problem. In fact, we've known for years that Android apps are susceptible to this issue, and that it puts users' private information in jeopardy. So it's not really news that it's still around.
What might surprise you is that the list of affected apps includes include popular services like Match.com, NBA Game Time, Safeway, and-get ready-Pizza Hut. So if you've been ordering delicious hot dog pizza crust pizza from the Hut with your phone, you should change your password right now. You should also probably stop using these apps until you know they've been fixed.
Don't freak out too much: It's not all Android apps that suffer from this vulnerability. Security researchers say these apps have been downloaded over 200 million times so that's 200 million opportunities for hackers to steal passwords... but that's not a lot in the grand scheme of things.
Earlier this year, a batch of apps that had been downloaded over 350 million times were identified as being similarly insecure. (OkCupid was among them.) Faulty encryption was also the cause of a mobile security shake up back in 2012.
So it's not like app makers don't know that HTTPS vulnerabilities are a
problem. It's pretty infuriating that they're not doing anything about
it, though.
For a more detailed account of the so-called "Game-over HTTPS defect," watch the video above or check out the comprehensive coverage in Ars Technica. You could also try downloading AppBugs from
the Play Store to see if you have any dangerous apps, but fair warning:
though that app is made by the same security researchers who brought
these latest vulnerabilities to light, we haven't actually tried it
ourselves to see if it's any good.[Ars Technica]