Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Unique Device ID Tracking Performed By Some Apple Apps

BitDefender UK : 13 August, 2012  (Technical Article)
BitDefender provides details of ios apps which can cause vulnerabilities through broadcasting unencrypted data or tracking UDIDs
Unique Device ID Tracking Performed By Some Apple Apps
A recent study by Bitdefender on iOS apps reveals that a large number broadcast unencrypted data and track Unique Device ID’s.

The study’s main objective was to show users how their data may be used. Although many apps legitimately access services such as social networking and location tracking, developers also have access to a significant amount of personal data that can easily be accessed and collected.

Leads 360 is an iOS app that features a major security flaw – it does not secure user credentials. It sends a user’s password as soon as it is typed, without encrypting it. This is worrying as this is a lead management app that one would expect to have tighter security measures. Featuring high user ratings in Apple’s App Store, users seem to be satisfied with its overall performance although they remain unaware of the risks they are exposing themselves to.

A possible scenario of losing such credentials would be to connect to an unsecure Wi-Fi network, where anyone with minimum technical know-how can easily collect them. Sending passwords in plain text makes an attacker’s job extremely easy.

Following a recent update, another iOS app, Mountainbike Lite, implemented tighter security by encrypting data stored on the device. Such actions are commendable as developers become aware of the security gaps in their apps and work to fix them.

Before the update, Mountainbike Lite account credentials were broadcast without being encrypted. This was a security risk as many users have the same credentials for multiple accounts on various networks. As such, they became vulnerable to further data loss from other accounts in case those credentials were inadvertently leaked.

Mountainbike Lite also collects users’ UDID, or Unique Device Identifier, and uploads it to its server. No explanation is given as to how or why it’s used. Apple has set out to deprecate UDID’s and developers should switch to using less intrusive IDs in their apps.

Catalin Cosoi, Chief Security Researcher at Bitdefender said “Fortunately, iOS developers regularly update their apps with security fixes, and not simply with new features and polished user interfaces. They are not to blame if users connect to unsecure Wi-Fi networks or use the same login credentials on all their accounts. From a technical point of view, apps behave as they should, but users need to be aware that developers might not always take the proper measures to secure users’ privacy.”
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo