Perhaps there’s no piece of software that’s 100% secure, but don’t we all like to think that official apps from reputable companies do have some solid security protocols which at least give intruders an incredibly difficult time to acquire our credentials?
Short answer: not really. AppBuggs is a security firm, that recently discovered quite a few popular apps allow an unlimited number of login attempts – the perfect opportunity for attackers to initiate brute-force attacks with nothing to stand in their way.
The apps that are truly secure, place a limitation after entering the password incorrectly a few times and force the user to reset it. The list of analyzed apps (available on both Android and iOS) includes only products with support for password-protected web accounts and have at least 1 million downloads so far. From the 100 tested apps, 53 were found vulnerable to password cracking.
The security company gave developers one month to fix the security problem, otherwise their names would be made public. They also say, that the period can be extended for 60 more for “App developers with good reasons” which make a request. days As a result, we don’t have the complete list of vulnerable apps yet, only 15 which have passed the 30-day period (and obviously failed to offer a “good reason” to request a delay).
These include Pocket, iHeartRadio, WatchESPN, Wunderlist, Songza, Dictionary, Domino’s Pizza USA, Expedia, CNN, AutoCAD 360, SoundCloud, Slack, Wallmart, Dictionary and Kobo. Until now, AppBugs says only Dictionary, Pocket and Wunderlist have fixed the issue.
So what can we do? So far, we may be using at least some of the undisclosed apps, with no way of knowing which these are. The security company says, uninstalling the app is pointless, because the credentials are still stored on the server, thus remain vulnerable to attacks. It appears the solution would be disabling the account.
AppBugs estimates brute-forcing a password takes the attacker somewhere between 30 minutes to 24 days, depending on strength of the targeted password. This means using stronger passwords is at least one layer of security we can all use.
They also recommend using two-factor authentication in all apps that support it and have also mentioned none of the apps they tested offer this function. Perhaps this is the one part about their announcement which bothers me. Slack offers two-factor authentication. With that said, it doesn’t mean Slack did not have the password attack vulnerability, only that they do offer an additional layer of protection.
I honestly didn’t check all 15 apps, but if you know others from that list which also support it, tell us in a comment.