Regular readers will know that I have spent a not inconsiderable time grumbling about the poor state of Android security, with many consumers left in the lurch by their manufacturers without any method of updating their devices to protect against newly-discovered security vulnerabilities in the operating system.
However, the truth is that there’s something that’s much more critical to smartphone security than whether you chose an iPhone or an Android – and that’s third-party apps.
You can have the most secure OS in the world, with a seamless updating infrastructure for security patches, but it’s not going to do you any favours at all if you’re running an app which is sloppy when it comes to keeping your personal information private and secure.
Researchers at Wandera have taken a close look at one app called PanicGuard, and found it lacking.
What makes PanicGuard’s failures particularly ironic is that it is actually intended to keep you safe.
As you can see from the app’s promotional video, PanicGuard is targeted specifically at people who feel vulnerable – including those who suffer from domestic abuse, people being stalked, or those who are worried about walking through the dodgy end of town…
If you feel threatened, the app can contact your nearest and dearest, telling them to contact the police, sharing your location and even taking video footage of your attacker.
PanicGuard was the first such personal safety app to be approved by UK police, but clearly it hasn’t been properly vetted for security flaws.
Wandera’s research reveals that PanicGuard fails to properly encrypt the user’s personal information, potentially exposing it to Wi-Fi sniffing hackers:
PanicGuard requires users to fill in their personal credentials upon their initial login. This includes obvious things like first name, last name, and e-mail however the app also takes in more personal information. Date of Birth, country, and emergency contact information are also required to register.
Furthermore, users’ locations are established during the login process including their exact longitude and latitude. For someone downloading a personal safety app, this information all seems pretty standard. However, what the innocent users of PanicGuard are unaware of is that their information is being transferred in plaintext over the internet.
This basically means that the HTTP connection the app uses to send information to its server is extremely insecure. Due to the nature of the connection, users’ credentials are susceptible to third party exposure.
There’s really no excuse for using such apps to use plaintext HTTP to transfer personal information in this day and age.
It’s ironic to think that an app designed – with obviously good intentions – to keep people safe, has at the same time reduced their security.