QuizUp for iOS by Plain Vanilla uploads address book data as plain text.

The reports that a lot of users’ data are being stolen by uploading them to the app developers servers without any permission has been growing. But luckily, Apple’s screening process has been preventing us from apps which does this. But looks like there’s a bit of issue now.

Top iOS apps like QuizUp by Plain Vanilla is now caught red-handed for uploading users’s data to their server as plain text and also for sharing this information with random users who use their app. While QuizUp shot to fame for its quick and easy trivial game play, the app developers have been literally misleading the information about users’ privacy.

The app indeed uses a HTTPS encryption, which is good, but unfortunately, it hands the data back to the device with a simple plain text format, which a random users’ device would read and start off with the game. Moreover, a report by a security researcher reveals that the app’s vulnerability can be found within 15 minutes and is not that hard for anyone to get to know the data that’s being transferred.

While QuizUp is one such app, there are chances that other apps might do this as well. While these apps literally does not need any data for the gameplay, we are not sure why the developers are keen in collecting the users’ data and uploading it to their servers. One more interesting thing to note here is that, these apps are completely backed up by venture capitalists.

We will keep you posted about the replies from the company as well as from other security researchers whom we have approached.

Update: The QuizUp developer has responded to the report:

Hi redditers. I’m one of the developers at QuizUp. We’re very proud of the product, but obviously we missed the mark when it comes to privacy and user data. On a cultural level we take these things to heart, and we take them seriously. It’s a matter of not having taken the time to review these things carefully enough.

Let me address the things mentioned in the article:

No data is ever sent or received to or from our servers in plain text. Due to a bug in our third-party network library the certificates were not being verified so a self signed certificate could decrypt the data. This issue has been addressed in an update waiting review at Apple. Users’ passwords are hashed before we store them in our databases (pbkdf2, salt, multiple iterations).

Our user’s address books are not stored on our servers and only used temporarily to help us find your friends. It was a mistake to not hash the contents of the address book before sending to our servers and we are currently changing the client application so it hashes the address book contents before sending to our servers. Sensitive user data was exposed in certain endpoints (although only accessible for authenticated users). We have already addressed this issue in a server deployment and the hotfix is live now.

We are currently wading through inboxes looking for Kyle’s outreach. It looks like it may not have reached the core server developers.

Finally I want to thank Kyle Richter for working out our security holes, small and large. We’re currently reviewing our endpoints and codebase to further harden security and ensure the privacy of our users.

Just ask if you have any questions.

Subscribe to 4CAST

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 19 other subscribers