Since these types of applications store sensitive data, I wanted to see how hard it was to obtain this information assuming a handset was lost or stolen.  The common denominator between all the popular apps were the use of a master password. Some of the apps stored master passwords locally while others stored them remotely. All the apps stored banking information, passwords, and credit card numbers.

With being able to turn off your SIM card if your phone is lost or stolen; its not as easy to change passwords to sites or notify banks of accounts that could have been compromised.

With such a major number of users adding Android MOD’s such as Cyanogen to their device, it greatly increases the risk of personal information being leaked when a phone is stolen or lost.

We have already started notifying vendors of the vulnerabilities we have found.  Stay tuned as we start posting some of the results, you will be surprised at just how easy these applications could be compromised by attackers.

As a security analyst, I decided to start examining how these apps work. What I found was astonishing! So far, almost all the apps I have dissected contain extreme high risk vulnerabilities when storing sensitive data. I decided to create this blog to post some of my findings to the world in hopes of providing a break down of just how serious this issue is.
Without giving away too much detail, a highly used app (on all major markets) that provides a visual to your voicemail, has a authentication bypass that allows an attacker to download voicemails in MP3 format from another users mailbox. I have properly notified the vendor on 02/04/2010 and have been providing them with my findings. I will be blogging about this vulnerability on 02/28/2010 or sooner assuming they issue a patch for it.

Stay tuned as I start publicly dissecting these apps. If anyone would like to work with me on projects, feel free to contact me.