Clueful outs iOS apps sending unprotected passwords

By

Morphs into web app to skirt Apple ban.

Banned privacy watchdog app Clueful has re-emerged on the internet and has discovered iPhone apps that send passwords over WiFi in clear text.

Clueful outs iOS apps sending unprotected passwords

The iPhone version of the app was taken down from Apple’s app store in June after it was initially approved. The Cupertino giant refused to discuss the move and gagged developer BitDefender under a non-disclosure agreement from doing the same.

Clueful would scan installed iOS applications purchased for free from the app store to show users the privacy and security measures and risks the software presented. 

The latest incantation skirts Apple’s ban by serving the application as a web app, meaning it lacks the ability to scan iOS devices for installed apps and integrated touchscreen functions.

"It cannot see any of the apps on iPhone, but users can search them on the web, Bitdefender's head of online threats Catalin Cosoi said.

He said he hoped Apple would lift the ban within months, and said only that Cupertino did not ask for Clueful to be redesigned, leaving open questions that the app may have violated Apple's app policies.

Apple's local spokeswoman did not return a request for comment.

While Clueful was no longer an iPhone app, it has been resigned to detect new security gaffes, including whether apps fail to encrypt login credentials or encrypt the data using the defunct MD5 hash.  This would expose the data to interception when it was sent over unprotected wireless networks.

BitDefender’s Clueful team dug up three such apps for SC including Opera (operatory) Pager, a paid subscription app designed for sending messages between PCs, Mac and iOS devices in hospitals and general practitioner clinics.

Two further apps, Virtuoso and Chinese Writer also sent passwords in clear text or hashed with MD5.

A further cursory search on Clueful by SC found the official Qantas Frequent Flyer app exposed usernames in the same way. Online banking and popular e-commerce apps appeared to encrypt user data, though many tapped into location, contacts and social media such as Twitter.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
androidappapplebitdefenderencryptiongoogleiosmcafeemobilepasswordssecurity

Sponsored Whitepapers

Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Events

Most Read Articles

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?