Popular iOS and Android apps from companies like Walmart, ESPN, Slack and SoundCloud have been found vulnerable to password cracking, according to a recent report from AppBugs. The security firm found that dozens of the most popular apps are lacking, in that they allow you to make any number of attempts to login without restriction. These clearly opens up a gap for attackers who have the means to guess those passwords and gain access to your accounts.
The most secure apps will force you to reset your password if you don’t enter it correctly, or they’ll lock you out after you’ve made a certain number of attempts.
AppBugs tested the most popular apps to see how they stacked up. It checked 100 popular apps which support password-protected web accounts and limited themselves to apps which had been downloaded at least 1 million times. Of those 100 apps, 53 were found to have the vulnerability.
In order to safeguard those apps, the security firm gave the developers 30 days to fix the security concern. So far, AppBugs has published the names of just a handful of those apps. Those published today include Songza, Pocket, Wunderlist, iHeartRadio, WatchESPN, Expedia, Dictionary, CNN, Domino’s Pizza USA, Zillow, AutoCAD 360, Slack, SoundCloud, Kobo and Walmart. Of that list, only Dictionary Wunderlist and Pocket have fixed the problem. The others are still vulnerable to password cracking. On July 30th, the rest of the app names currently unpublished will be made public.
On the user side, there’s very little that can be done to protect from a possible attack. We only need to look back at the iCloud attack from last year to realize that it can, and does happen. If you have a really secure password that’s hard to guess, you’re definitely less at risk. But, chances are on mobile apps, passwords are created to be easy to type and easy to remember. This, of course, makes them less secure.
Personally, I use 1Password to manage all my passwords across devices and for each new account I generate a secure password that I don’t remember. As far as being secure goes — on the user side — that’s almost all you can do. Switch on 2-factor authentication if it’s available (none of the listed apps offer that either).