Summarizing across the categories, only 17% of apps received a complete Pass rating, while 83% received either a Fail or a Warn. The findings indicate that, in general, mobile applications presently store sensitive user data unencrypted a high percentage of the time.
Fail – 39%, Warn – 44%, Pass – 17%
The categories of application appear to diverge on how they implement data security. The Financial Apps tested in the study exposed much less data than the Social Networking Apps. Whereas nearly 75% of the Social Networking Apps received a Fail rating, only 25% of the Financial Apps received a Fail.
Usernames: Looking specifically at storage of Usernames, we were able to recover 76 out of 100 Usernames for apps tested. At present providers do not appear to consider the security implications of plain text storage of Username.
What’s in a Username?
While most people may not consider their username sensitive information, it is in fact a very important piece of data. Many systems require only username and password, so having the username means that 50% of the puzzle is solved. In addition, people often reuse their usernames so it will generally work on many online services. Currently only a small percentage of mobile applications protect username, but it is notable that several financial institutions do so, which clearly indicates the importance of protecting this information for the security of their users.
Passwords: Passwords were not found nearly as often as usernames. However, 10% of apps stored passwords in plain text, perhaps the most direct threat to user security in this study.
App Data: More than two-thirds of the tested apps were rated as Warn or Fail, meaning private app data was recoverable. In the Fail cases, significant sensitive data such as private communications, personal info or account numbers were stored in plain text.