The latest report from mobile security firm AppBugs has revealed that many popular smartphone apps are vulnerable to password cracking because they allow an unlimited amount of login attempts. This means that an attacker could theoretically access a user's account by simply entering a huge amount of passwords until the correct password is guessed.
While this type of brute force attack would normally take a long time to execute, mobile passwords tend to lack complexity due to the difficulties of entering strong passwords on a smartphone keyboard. If an attacker has the right tools and a lot of time at their disposal, they could gain access without much of a struggle.
Limiting the number of login attempts is one of the simplest ways to improve the security of a service's login process. While it could lock out legitimate users who fail to spell their password correctly after a number of attempts, placing even a relatively high limit on the number of attempts (say, 50) can prevent most brute force attacks.
AppBugs discovered around 50 Android and iPhone apps, downloaded more than 300 million times in total, that were vulnerable to this kind of attack. Developers were given 90 days notice to fix the issue in their app before the vulnerability would be publicly disclosed, and as you might expect, 12 apps weren't fixed in this time period.
The apps that are vulnerable include those from AutoCAD, CNN, Domino's Pizza, ESPN, Expedia, iHeartRadio, Kobo, Slack, Songza, SoundCloud, Walmart, and Zillow. A number of other apps haven't been exposed as their grace period hasn't expired, while the app developers for Dictionary, Pocket and Wunderlist fixed the issue in their latest app updates.
Hopefully the remaining app developers who haven't addressed this issue with their apps do so promptly through what should be a relatively simple rate limit fix.