UPDATED with comment from Blue Shield of California.
iPhone users shouldn't feel too smug about their phone's security — iOS apps are just as unsafe to use as Android apps, a security researcher and college instructor told the Def Con hacking conference this past weekend.
Like many Android apps, many iOS apps transmit user passwords in plaintext or save the password unprotected on the phone, said Sam Bowne, an instructor at the City College of San Francisco. Others fail to use encryption properly, rendering the apps vulnerable to attacks.
- The best Android antivirus apps to keep your smartphone safe
- Why Apple iPhones don't need antivirus software
- New: Nasty Android flaw could put millions at risk — what to do
"Finding vulnerabilities in mobile apps is like taking a time machine back to the early '90s when people didn't know anything about security," Bowne said.
However, because Apple has made it very difficult to examine iOS apps or the iOS operating system, no one knew how unsafe iOS apps really were until recently.
"I did a lot of Android auditing because it's very easy on Android," Bowne said. "It was very difficult on iOS until Checkra1n."
Last fall, a team led by one of Bowne's former students released the Checkra1n jailbreak, which cracks open the software of any iPhone model from the iPhone 4s to the iPhone X. That gave Bowne the chance to examine iOS apps.
"I discovered that it is true what I had heard -- that iOS apps are just as bad as Android apps," Bowne said, even though "the [iOS] operating system is a little more secure, and the coding language is harder to reverse engineer."
Much of the blame falls on third-party app developers that are contracted to build apps for other companies, Bowne said. But ultimately, the responsibility lies with the companies whose names are on their apps.
"It's painfully obvious," Bowne said, "that the standards of most app developers are extremely low, and that the management [of the companies that use the apps] does not review the security of apps they purchase from third-party developers, not even for the simplest flaws."
When your banking app makes elementary security mistakes
Ten or 15 percent of Android apps that Bowne has examined make elementary security mistakes, the researcher told the Def Con attendees.
As of 2015, those included top banking, stock-trading and insurance apps, all from brands that are household names. None of the apps had integrity checks to prevent their code from being tampered with.
"You can see the source code, you can modify the code, you can make a modified app and run it, and they don't detect that it's modified and they don't detect that it's an unauthorized app when it connects to the server," Bowne said.
Crooks could use these flaws to create modified versions of the Android apps. If a crook got you to install one of the corrupted apps, the crook would gain access to your account as soon as you logged in.
There's a list of these vulnerable banking, stock-trading and insurance apps (opens in new tab) on Bowne's website. We're not naming them here because some have likely been fixed since Bowne found the flaws in 2015.
'Very strange' password handling
"An enormous number of apps remember who you are by storing your password locally on the phone," Bowne said, which he called "very strange." It's a shortcut that creates unnecessary risks.
Bowne named more than a dozen Android apps from well-known restaurant, supermarket, drugstore, home-improvement and office-supply retail chains that, as of 2017, stored user passwords locally either in plaintext or with bad encryption that could easily be cracked.
Now for the bad news for iPhone users. You'd assume that iOS apps would be safer, because overall Apple's mobile operating system is harder to break into. But that's not the case, Bowne said.
"I never really knew how bad it was on iOS" until the Checkra1n jailbreak, developed by Bowne's former student AxiomX, he said: "I couldn't really look inside the file system."
"Because of him and the team that joined him to make the Checkra1n exploit, we could now get into the system of modern iPhones," Bowne said. "And that was fun."
iOS apps have the same problems
During December 2019 and January 2020, Bowne said, "I audited a few hundred iPhone apps — and I found all the same problems with iPhone apps."
For example, the Blue Cross Blue Shield of Massachusetts iOS app stored passwords on the phone without encryption.
The Blue Shield of California iOS app broke web encryption, making it vulnerable to man-in-the-middle attacks. In 2014, Fandango and Credit Karma were fined by the FTC (opens in new tab) because their Android and iOS apps did this too.
[Update: In response to our query, Blue Shield of California said that its iOS had been fixed.]
The West Point and Air Force Academy athletics teams' iOS apps both transmitted user passwords over the internet in plaintext, Bowne said. The Zillow Rentals iOS app stored passwords in plaintext on the phone.
Reached for comment, a Zillow spokesperson told Tom's Guide, "We are aware of the reported issue affecting iOS users and our teams are working to develop an update to protect our customers. We'll be releasing a security update soon that users can download via the App Store."
Apple's best app protection is optional
Bowne was surprised by the passwords transmitted in plaintext from iOS apps, because he thought Apple's App Transport Security (ATS) protection feature made encryption mandatory. But he checked Apple's developer guides and found that apps don't have to use ATS. A separate study in mid-2019 found that fully two-thirds of iOS apps didn't use ATS at all (opens in new tab).
"I had believed that Apple was more secure than that, but it's not so," Bowne said. "And it's certainly not so in practice."
Even the iOS app for students at Bowne's own school, City College of San Francisco, transmitted user passwords with broken encryption, he said. Several other colleges around the country used the same developer to build their iOS apps, with the same results.
Bowne found nearly a dozen iOS apps from regional banks in the Midwest and California, built by two different developers, that exposed user passwords in a log file on the phone.
"You would think, at least, that a developer that's making a whole product line would have some security auditing, but obviously they don't and their customers don't," Bowne said. "So you can just sell broken junk forever and nobody will catch you for a long time."
Bowne disclosed all these iOS app vulnerabilities to the app distributors earlier this year, and many have been fixed, he said, "if they're ever gonna be fixed."
The worst app in the world?
The "worst app in the world," Bowne said, is probably an Indian financial app for Android called Equity Pandit that he called "incredibly, mind-bogglingly insecure" even though it's still in common use.
Ideally, when you type your password into an app, the app should send the password in encrypted form to the app's server, where it should be compared to the encrypted password the server has on file for your username.
If the encrypted passwords match, then an encrypted authorization token should be sent from the server to your phone to grant you access.
Here's what the Equity Pandit Android app does instead, according to Bowne: When you type in your email address followed by an incorrect password, the Equity Pandit app sends your unencrypted email address to Equity Pandit's server.
The server looks up the correct password for your email address and transmits the unencrypted password to the app on your phone. Then the app checks the password you typed in against the correct password it has just been sent from the server.
How to get anyone's password
Anyone who knows your email address can use this flaw to force the Equity Pandit server to send them your password, which the attacker will be able to see in plaintext using easily available Android emulation tools.
"I gave my students homework to just steal my password from my account on their server," Bowne said, referring to Equity Pandit's server. "Anybody can get anybody's password at any time."
Bowne said he told Equity Pandit about this problem with its Android app years ago, but the problem still hasn't been fixed. He continues to use the app in his hacking classes. Neither Equity Pandit's Android app nor its iOS app have been updated since early 2016.
"That is amazing to me," Bowne said, "that a company, especially a financial company, can just hand out all the passwords of everybody all the time and nobody cares and it's still going on."
Almost as bad was the University of Houston alumni app for Android, Bowne said. Before you even logged in, it would let you search for yourself on a list of alumni.
To make that easier, it would just send the school's entire alumni database to your phone, including alumni names, account numbers, credit card numbers, email addresses and passwords. That's before you even created an account.
This may have been done so that the lookup process would run faster on a phone with a bad network connection. But the upshot was that thousands of people were probably walking around with each other's personal private information on their phones. That Android app has since been fixed, Bowne said.
10 percent repair rate
Tom's Guide has reached out to Equity Pandit, the City College of San Francisco and Blue Shield of California seeking comment. Attempts to reach Blue Cross Blue Shield of Massachusetts were unsuccessful. We will update this story when we receive replies.
The problem with mobile-app flaws is that, in Bowne's experience, maybe 10 percent of companies that he notifies of flaws in their apps will ever fix them. That's better than a few years ago, Bowne said, when 2 percent of companies would fix the flaws and others would threaten to sue him or call him a criminal.
"It's becoming more common that they will at least admit that it is possible that they might have a security flaw," Bowne said, "and that in principle they should do something about it instead of just shooting the messenger."
PowerPoint slides for Bowne's Def Con presentation (opens in new tab) are on his website, and the video of the presentation (opens in new tab) is on YouTube, starting about 15 minutes in. If you'd like to learn more about reverse-engineering and auditing apps, many of Bowne's CCSF classes can be attended for free via remote-learning platforms.