As many as 600 million smartphone users could be at risk of having their online accounts cracked after new research revealed that many of the world’s most popular apps allow an unlimited number of log-in attempts.
Mobile security firm AppBugs tested 100 of the most popular Android and iOS apps supporting password protected accounts – with each registering at least one million downloads.
It was shocked to find that 53% had a password brute force vulnerability, allowing attackers to guess away until they crack the credential.
Of these, the affected Android apps had been downloaded 300 million times. Although Apple does not release such data, AppBugs estimated the download number for the affected iOS apps to be similar.
The firm explained the following:
“According to this study on 70 million passwords, the strength of user passwords typically contains 10-20 bits of security. This means that it only takes the attacker 1024-1048576 guesses to find the correct one. Assuming the attacker makes login attempts to the vulnerable service 30 times per minute, it takes him half an hour to 24 days to guess a password, depending on the strength of the target password. This is a scary estimate. Attackers have no problem launching the attacks from multiple IP addresses on multiple user accounts in parallel and often can make guesses more than 30 times per minute. If today the attacker launches such attack against most user accounts in parallel, he will be able to get most user passwords within 24 days.”
AppBugs claimed to have notified each of the affected apps’ developers, giving them a total of 90 days to remedy the issue.
Of the 15 which have passed that patching grace period, just three (Wanderlust, Dictionary and Pocket) fixed the issue at the time of AppBugs’ blog post.
This means that users of popular applications such as Expedia, CNN and Soundcloud are still vulnerable.
None of the apps studied support two-factor authentication so there is little a user can do to mitigate the vulnerability apart from disable the app altogether.
Apple’s iCloud service was famously found to have been exposing users via this vulnerability, before the firm patched it – in fact, some believe it may have contributed to the notorious celebrity data breach last year.