Many popular smartphone apps are vulnerable to password cracking

By Scorpus
Jul 17, 2015
Post New Reply
  1. The latest report from mobile security firm AppBugs has revealed that many popular smartphone apps are vulnerable to password cracking because they allow an unlimited amount of login attempts. This means that an attacker could theoretically access a user's account by simply entering a huge amount of passwords until the correct password is guessed.

    While this type of brute force attack would normally take a long time to execute, mobile passwords tend to lack complexity due to the difficulties of entering strong passwords on a smartphone keyboard. If an attacker has the right tools and a lot of time at their disposal, they could gain access without much of a struggle.

    Limiting the number of login attempts is one of the simplest ways to improve the security of a service's login process. While it could lock out legitimate users who fail to spell their password correctly after a number of attempts, placing even a relatively high limit on the number of attempts (say, 50) can prevent most brute force attacks.

    AppBugs discovered around 50 Android and iPhone apps, downloaded more than 300 million times in total, that were vulnerable to this kind of attack. Developers were given 90 days notice to fix the issue in their app before the vulnerability would be publicly disclosed, and as you might expect, 12 apps weren't fixed in this time period.

    The apps that are vulnerable include those from AutoCAD, CNN, Domino's Pizza, ESPN, Expedia, iHeartRadio, Kobo, Slack, Songza, SoundCloud, Walmart, and Zillow. A number of other apps haven't been exposed as their grace period hasn't expired, while the app developers for Dictionary, Pocket and Wunderlist fixed the issue in their latest app updates.

    Hopefully the remaining app developers who haven't addressed this issue with their apps do so promptly through what should be a relatively simple rate limit fix.

    Permalink to story.

  2. TraceAbsence

    TraceAbsence TS Rookie

    I use 1Password, my favorite app of all time. They're welcome to try to crack my passwords if they have say 5 million years.
  3. Thats why I have a Windows Phone
  4. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 6,341   +1,939

    Good thinking. So few people use them and they have so few decent apps that they're not worth the effort to crack.
    Darth Shiv likes this.
  5. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,602   +370

    The login policy for apps is server side not phone side.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...