Hewlett-Packard has issued a warning to consumers regarding the lack of security and privacy precautions in leading mobile tax and finance applications, stating that over half of the apps they tested employ encryption methods proven to have security weaknesses, such as MD5 and SHA1.
They also found that more than 90% of the applications were unnecessarily storing data in clear-text, image caching of sensitive information, accessing the device’s address book and geo-location information, and did not transmit data in a secure manner.
“The bottom line is that even with all the best intentions of providing fast tax filing assistance, mobile tax apps could put users at risk,” said HP’s Maria Bledsoe.
The problem is rooted in the fact these companies are using mobile apps as a user interface extension to their PC software versions, allowing users to check for status updates after filing via a cloud-based service, and mobile devices are simply not as secure as their larger counterparts like laptops and desktop computers.
“A lot of companies are looking at mobile apps as a fancy user interface, and they’re putting their protection on the back-end behind their firewall,” Bledsoe said. “But they’re not realizing yet that this is yet another attack vector and is an entry point for the hackers.”
As with any application, users need to carefully examine the permissions the application requests at the time of download, and they should be wary of applications that demand access to data on the device that they have no logical reason for needing, like contact lists and location information.
“We have the tendency these days of downloading any app under the sun because it’s cool and nice. This stuff is not just a fancy user interface” Bledsoe continued. “All your private data is sitting right there so you have to be pretty careful with what you’re putting on your phone,” adding that “if there’s no reason why this app has access to this address book, don’t let it.”
Read More Here…