Security Vulnerabilities on Square’s Mobile Payment App Found by ViaForensics

Jun 8, 2011
0
Security Vulnerabilities on Square’s Mobile Payment App Found by ViaForensics

Most of us are probably tired of hearing about another security breach, but most of us would also think that all this press about security issues would keep companies at the top of their game. This new security threat is not from a server or data center, this threat is in mobile device (smartphone) applications found in both Android and iOS. Square’s mobile payment app is most disconcerting, but it is not the only company with app vulnerabilities uncovered by ViaForensics. The other companies on the list were also big names: LinkedIn Corp., Netflix, Inc., and Foursquare.

Here is the security risk: the apps were found storing certain portions of user information in unencrypted form on the mobile device. What that means is that certain information was being stored in plain text on the phone. That doesn’t mean hackers will be instantly running off with your credit card number, it means that some sensitive information is vulnerable. In order to exploit this vulnerability an attacker would need to physically get his hands on the device, or gain access to the information via malicious software like spyware or malware. News about malware in some mobile devices is not very reassuring.

The iPhone version of Square’s mobile payment app was found to leave the most recent digital signature vulnerable as well as the transaction history. In their defense, Katie Baynes, spokeswoman for Square said that some information is necessary to store on the phone in order to track transactions such as customer’s last name and last four numbers of the credit card. Square stated that they follow standard PCI Security Standards Council practices. They did not comment on the digital signature.

The Android apps for LinkedIn and Netflix were discovered to leave the user name and password vulnerable. This opens up a slightly new risk, because many people use the same user name and password for multiple sites. That login information could allow hackers into other sensitive areas. Both LinkedIn and Netflix said they were aware of the vulnerability and working to get it patched.

What is the root cause? ViaForensics believes it is because developers do not make security their top priority. Developers tend to focus on delivering quality apps in an overcrowded marketplace. What do you think? Is mobile device security a thing of the future, or are we safe leaving software security in the past?

[via Wall Street Journal]


Must Read Bits & Bytes