Instapaper is a great little smartphone app, useful for saving any interesting articles you stumble across while browsing the web for perusing later at your convenience in an easy-to-read format.
But, say security researchers at Bitdefender, the Android version of Instapaper has a vulnerability that could allow hackers to snoop upon your account’s username and password.
According to a Bitdefender blog post, Instapaper is vulnerable to a “man-in-middle” attack if you try to log into your account via a WiFi network that is being monitored by malicious hackers.
The problem is that although Instapaper handles the entire communication via HTTPS, it performs no validation of the certificate for the server it is communicating with. Which means that an attacker could use their own self-signed certificate and start “communicating” with the victim’s app.
Although you may not (or perhaps you do) care that much about an unauthorised party seeing which articles you are storing in your Instapaper account, the problem gets even more serious when you consider that many users are likely to be using the same password for many other other online accounts.
Bitdefender says it informed the developers of the Instapaper app of the problem, who have tweeted back that it is fixed in the latest version available from the Google Play store.
@BitDefenderLabs Thanks – anything pertaining to that is entirely fixed in the 4.2.2 release, which is currently live via Google Play.
— InstapaperHelp (@InstapaperHelp) June 23, 2015
For a long time I have felt that the biggest security problem facing smartphone users are the apps that they run on their devices. Too many apps, amongst them some of the world’s most popular apps, are doing a poor job of securing their users’ information.
Further reading:
Graham, there's a typo in your article: "HTTTPS" (too many t's).
I wish more mobile apps (and browsers) would implement certificate pinning; it would make the internet a safer place and reduce very many MiTM attacks.