Android Instapaper users at risk of man-in-the-middle attacks

InstapaperInstapaper is a great little smartphone app, useful for saving any interesting articles you stumble across while browsing the web for perusing later at your convenience in an easy-to-read format.

But, say security researchers at Bitdefender, the Android version of Instapaper has a vulnerability that could allow hackers to snoop upon your account’s username and password.

According to a Bitdefender blog post, Instapaper is vulnerable to a “man-in-middle” attack if you try to log into your account via a WiFi network that is being monitored by malicious hackers.

Password exposed

Sign up to our free newsletter.
Security news, advice, and tips.

The problem is that although Instapaper handles the entire communication via HTTPS, it performs no validation of the certificate for the server it is communicating with. Which means that an attacker could use their own self-signed certificate and start “communicating” with the victim’s app.

Although you may not (or perhaps you do) care that much about an unauthorised party seeing which articles you are storing in your Instapaper account, the problem gets even more serious when you consider that many users are likely to be using the same password for many other other online accounts.

Bitdefender says it informed the developers of the Instapaper app of the problem, who have tweeted back that it is fixed in the latest version available from the Google Play store.

For a long time I have felt that the biggest security problem facing smartphone users are the apps that they run on their devices. Too many apps, amongst them some of the world’s most popular apps, are doing a poor job of securing their users’ information.

Further reading:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Android Instapaper users at risk of man-in-the-middle attacks”

  1. Bob

    Graham, there's a typo in your article: "HTTTPS" (too many t's).

    I wish more mobile apps (and browsers) would implement certificate pinning; it would make the internet a safer place and reduce very many MiTM attacks.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.