Security vendor Zscaler has put SMS Touch on its Mobile App Wall of Shame. Why? Because SMS Touch lacks the most basic encryption and privacy protection for its users. The app, which is available via the Apple iOS store for just $1.99 allows users to send SMS messages for just 9 cents per message. For those who travel regularly or whose plans have a limited number of texts in the bundle, it is a good deal. Or is it?
According to Viral Gandhi, Senior Security Researcher, ZScaler: “Recently our ThreatLabZ team discovered that the app sends customer information and SMS messages over a cleartext network, presenting malicious actors the perfect opportunity to intercept login credentials as well as gain access to messages that may contain private information.”
Everything sent in clear
From the moment the user creates an account their conversations are sent in clear. This includes the account username and email address as well as the PIN code they get from the server. The username and PIN are sent to app server every time the user sends a message. This allows an attacker to capture those details and impersonate the user.
This can result in an attacker asking someone to do something for them or meet them at a given location. It puts both user data and potentially their safety at risk. As the app is used in over 220 countries the latter is a real risk.
Zscaler says it has spoken to Alco Blom, the owner of the app. A fix has been promised by the end of 2017. However, that is a long way away and it shouldn’t take that long to fix the code.
What makes this situation embarrassing for developers Alco Blom is that they also sell an app for Mac called Web Confidential. It promises to encrypt files and protect passwords. Perhaps it should ask the developers of that product to get to grips with SMS Touch.
What does this mean?
Another day, another mobile app and more data leakage. The cycle continues with no apparent way to stop it. Users install apps for convenience and cost. Businesses rely on users to supplement the corporate IT budget by buying their own devices. They also buy apps which make it easier for them in both their personal and work lives. There is a real need for IT organisations to get a grip of the apps on a user device. The problem, is how to do so without risking a major row between users and security teams.
There is also, arguably, a need for the testing of apps by app stores to improve. Apple has done a lot to improve the quality of apps on its own store. However, this is one of several news stories over the last year where leaky apps have been found on sale. There is nothing to stop it adding in tests and requirements to ensure that all user data is encrypted. This would help to reassure users and enterprises. Unfortunately there is no evidence that is will tighten up the requirements for apps.