Hey Android Users: Avoid These Insecure Apps

By Adam Clark Estes on at

Here’s some bad news for Android users. Security researchers have discovered 100+ more apps that fail to encrypt your login data properly, making it frightfully easy for hackers to steal your password. What’s worse: the vast majority of the app makers aren’t doing anything about it.

The specific issue, an HTTPS vulnerability, is hardly a new problem. In fact, we’ve known for years that Android apps are susceptible to this issue, and that it puts users’ private information in jeopardy. So it’s not really news that it’s still around.

What might surprise you is that the list of affected apps includes include popular services like Match.com, NBA Game Time, Safeway, and—get ready—Pizza Hut. So if you’ve been ordering delicious burger pizza crust pizza from the Hut with your phone, you should change your password right now. You should also probably stop using these apps until you know they’ve been fixed.

Don’t freak out too much: It’s not all Android apps that suffer from this vulnerability. Security researchers say these apps have been downloaded over 200 million times so that’s 200 million opportunities for hackers to steal passwords... but that’s not a lot in the grand scheme of things.

Earlier this year, a batch of apps that had been downloaded over 350 million times were identified as being similarly insecure. (OkCupid was among them.) Faulty encryption was also the cause of a mobile security shake up back in 2012. So it’s not like app makers don’t know that HTTPS vulnerabilities are a problem. It’s pretty infuriating that they’re not doing anything about it, though.

For a more detailed account of the so-called “Game-over HTTPS defect,” watch the video above or check out the comprehensive coverage in Ars Technica. You could also try downloading AppBugs from the Play Store to see if you have any dangerous apps, but fair warning: though that app is made by the same security researchers who brought these latest vulnerabilities to light, we haven’t actually tried it ourselves to see if it’s any good.

[Ars Technica]