This should come as no surprise, but it still sucks big-time: thousands of people who downloaded a random, very popular app called WiFi Finder found that it got handsy with users’ own home Wi-Fi, uploading their network passwords to a database full of 2 million passwords that was found exposed and unprotected online.
The leaked database was discovered by Sanyam Jain, a security researcher and a member of the GDI Foundation who reported his find to TechCrunch. Jain and TechCrunch’s Zack Whittaker spent more than two weeks fruitlessly trying to contact the developer, who they believe is based in China.
Receiving no reply, they instead turned to the host, DigitalOcean, which yanked the database within a day of their contact.
According to the app’s Google Play listing, it’s been installed more than 100,000 times.
The app does what it says it does: it searches for nearby hotspots, maps them, and enables users to upload all their stored Wi-Fi passwords. Unfortunately, in spite of what the app developer – Proofusion – claims, WiFi Finder doesn’t differentiate between public hotspots and what Whittaker says are the “countless” home Wi-Fi networks found by TechCrunch and Jain.
The exposed database didn’t give away contact information for any of the Wi-Fi network owners, but it did include geolocation data. The geolocations often corresponded to what look like wholly residential areas where there don’t appear to be any businesses, suggesting that the logins are for home networks.
WiFi Finder doesn’t require users to get network owner permission, leaving the door open for unauthorized access. An attacker could tweak router settings, could redirect network users to malicious websites by changing the DNS server, and could read any unencrypted traffic carried by the wireless network, enabling them to steal passwords and eavesdrop on communications.
Read those permissions!
WiFi Finder is a glaring example of how much security and privacy we all too often blithely hand over to an app that doesn’t deserve our trust. If you dig into the permissions it requests, you’ll find that it wants users to give it access to locations, full contact lists – including phone numbers and email accounts of all your friends, family, colleagues and whoever else is in that powerful hand warmer – plus the puzzlingly powerful ability to read, modify and delete data on your phone.
But why? That, unfortunately, is the question that we don’t get around to asking when we don’t bother to read app permissions.
Google has been trying to clean up the hot mess of bad apps in the Play store – a hot mess that, for example, saw 9m Androids infected with malware back in January, when Google removed 85 apps that were purportedly TV and video players and controllers but which would consistently show full-screen ads until they crashed, bringing in profitable ad impressions for the developers but nada for the victims.
We’re better off if we don’t solely depend on Google to strain out all the bad appery. By Google’s own calculations, only 0.09% of devices accessing the Play store were carrying malware as of January, but at 1.8 million phones, that’s nothing to sneeze at.
Make sure to check out app reviews and permissions to see what they’re up to before downloading. The majority of app developers may well have hearts of gold and the smarts to protect sensitive databases, but that still leaves plenty of random bulls in the china shop.
Source : Naked Security