Tube Map Live and Super Backup apps leak personal info

In the name of design and usability (and sometimes security) the activities of most apps are hidden from the user. We have to trust that developers will keep our personal information safe and our data away from those who would steal it. But as Appthority has shown in their analysis this week, that's not always the case.

Tube Map Live Underground

If you live in a city with robust public transit, you probably have a transit related app on your smartphone. They are essential to keep from looking like a tourist. For Londoners, the Tube Map Live Underground app lets them see the usual information like maps and routes, but it also lets them access details about the service used to pay for train fares called the Oyster card.

Checking the balance on your Oyster card is a big draw for this app, but Appthority told SecurityWatch that this app doesn't do a great job of protecting your personal information. They found that the app sends your Oyster user name, password, and card number in plaintext. "These credentials can be used to view journey histories of the user from up to the past 8 weeks, disable/enable the accounts, etc," said Appthority.

Another of Tube Map Live's selling points is that it's cross platform, running on Android, iOS, and Blackberry. Unfortunately, Appthority reports that, "The same risky behavior […] is seen in the app across multiple platforms, including Android and BlackBerry." The issue is not present in iOS because that version of the app cannot access Oyster information.

Super Backup

Gmail and Google Drive can keep your files safe on the cloud, and GooglePlay takes care of your app information but other critical information on your Android phone might not be backed up anywhere. Keeping a back up of your Android is a smart precaution, but the level of security differs from app to app.

Appthority analysed the Super Backup app and found that it stored back up information on the removable SD card by default. "This exposes the private data to other apps, as data on the sdcard is generally insecure," Appthority told SecurityWatch. "This is even more risky when an app and the app data is backed up, as the app data contains private saved data, passwords, and access tokens."

In their analysis, Appthority described how they were able to extract token information from a back up of the Facebook app stored on the SD card. The company was also able to, "extract the private access token for Facebook from the backup data, which can be used to access the Facebook account from any other mobile device or desktop browser."

Both of these apps aren't malicious. What's difficult for users is that without the kind of analysis provided by Appthority, it's difficult to tell how apps handle your information. Most of us probably assume that the competitive space of app stores force developers to follow best practices for security, but we've seen time and time again that it's just not the case. Unfortunately, the best way to stay secure is to probably to weigh the risks of exposing your personal information with the benefit provided by the app.