I have been wondering about the iPhone apps security for a long time. Most apps are connected to some sort of web service but are they using SSL? We spent so much time educating users to check the security icon in their web browser and now the iPhone comes out and nobody cares anymore! That bugs me so I decided to find out.
After starting Wireshark on my router, I went through most applications on my iPhone, logging in, accessing my profile and my account details. The good news is that all the banking apps that I tried are connecting over SSL. But many of the more casual apps are not. Ironically the first app that I found transmitting my login and password in plain text was the Squarespace app! And apparently it's not alone amongst the blogging apps since Tumblr is doing the same. Sincerely it depresses me that in this day and age, developers still spend so much effort designing design such cool apps and services and yet do not care about their security.
One might say that these are just passwords to your blog. No big deal. But everybody knows that most people use the same password on every sites. And it's not just passwords. The LinkedIn app transfers your whole profile in the clear. Name, e-mail address, resume, almost everything you need for identity theft or to figure out the answer to the security question for the web sites where you did not use the same password as the others.
That's a good opportunity to remind everyone of two fundamental security rules. One, use a different password on every web site. Tools like LastPass make it very easy. Two, never connect to unencrypted Wi-Fi networks. Everybody can capture everyone else's data on these networks.
Finally if none of this is news to you, please take the time to explain it to your less tech-savvy friends and relatives.
Short URL for this post: http://lepl.us/1k