0x0Lab Blog Just another damn blog


iPhone applications that transmit credentials using “unsafe” protocols

The iPhone SDK allowed for the creation of thousands of applications. However, some of these applications (probably more than I would like to admit), have not been coded with security in mind.
Nowadays a wireless Internet connection is a very common thing, and often people do not understand the dangers of sniffing or man-in-the-middle attacks.
A lot of the iPhone applications authenticate themselves on various services (twitter, facebook, ustream, etc.), but care has not been taken to actually transmit credentials (and information) safely and securely using either the phone's wireless or mobile connection. Call me paranoid, but I don't like my credentials, phone number, and any other details for that matter to be send remotely unencrypted.
In this post you can find a list of some iPhone applications that send credentials using plain-text or basic authentication, usually over http:

- Tweetdeck (version: 1.3): Uses http with basic authentication.

- Waze (version: 1.7.0): Uses http, password is plain-text.

- Ustream Live Broadcaster (version: 1.2): Uses http, password is plain-text.

- FriFi (version: 1.6): Uses its own protocol, password is plain-text. The application also transmits the users phone number to the FriFi servers.

- Knocking Vid (version: 1.2.1): Uses http, password is base64 encoded.

- Gowalla (version: 2.2.1): Uses http with basic authentication. (More info at Martin Kou's Blog)

- Foursquare (version: 1.9.1): Uses http with basic authentication. (More info at Martin Kou's Blog)

This list will be updated, whenever I find an application that transmits sensitive information using "unsafe" protocols.

Posted by cirrus

Filed under: Security Leave a comment