Security firm ViaForensics has found that apps from firms like Foursquare, Netflix, and LinkedIn do not adequately store users' personal information.
ViaForensics' appWatchdog program audits apps to make sure they securely store a person's username, password, and sensitive app data. Apps that store sensitive data insecurely get a failing grade, those that store app data in an unencrypted way get a warning, while secure apps—meaning ViaForensics was not able to obtain any user or app data—get a passing grade.
A full list is available online, but in its latest round of testing, ViaForensics found three unencrypted passwords on the Android versions of Foursquare, LinkedIn, and Netflix.
"With cybercrime an ever increasing threat, these findings put consumers at much greater risk for identity or financial theft," ViaForensics said in a blog post.
The Android version of the Netflix app failed because it did not securely store passwords, the report said. The iPhone version of the Netflix app got a warning; it securely stored usernames and passwords, but app data storage was not as secure, ViaForensics said.
"Netflix members' privacy and personal information security are a top priority for Netflix. We are making a change on the app," a Netflix spokesman said in an email.
On LinkedIn, the Android and iPhone versions got a failing grade. The iPhone version securely stored passwords, but had a warning on username storage, and a fail on app data security. The Android version failed to securely store passwords or app data and got a warning on username storage.
"We're using the standard Android programming practices for storing and managing data," a LinkedIn spokeswoman said via email. "LinkedIn is focused on providing a seamless experience for our mobile users and are working closely with the Android team to help ensure we do this in a safe and secure manner."
Foursquare's Android app also got low marks for data security, while its iPhone app fared slightly better.
In a statement, Foursquare said a user's information might be compromised, but only if "a user's Android device is stolen and the device is not password-protected." Though Foursquare has received no reports of such instances, the company said it pushed an update to all Android users on Tuesday "that will make even this type of access unavailable to hackers."
"We value the security of our users' personal information and are continually making enhancements to clear potential attack vectors that we become aware of," a spokeswoman said.
ViaForensics' report also singled out mobile payment system Square, which received a failing grade for its iPhone app "due to insecure storage of app data."
"From this app we were able to recover a variety of information, including transaction amounts and the most recent customer's signature stored as a picture file," ViaForensics said.
A Square spokeswoman said the app "does store some identifying information within the phone" like a name and last four digits of a credit card number, but "this information is a necessary element used by businesses around the world to track transactions."
Square stressed that this data is allowed by the PCI Security Standards Council, which oversees payment security standards. It is also readily available on most paper receipts, whereas Square data remains on a user's phone, the company said.
The concept of "leaky apps" is not a new one. Last month, a report from Symantec said that, until recently, Facebook apps were inadvertently leaking user data to third-party developers. In response, Facebook said the problem has been fixed and that no unauthorized Facebook data was shared with third parties.
In October, the Wall Street Journal published a story that said Facebook apps shared users' personal information with advertising networks and other Internet-tracking companies. That included the top 10 apps on Facebook. That prompted Reps. Edward Markey and Joe Barton, the co-chairman of the House Bi-Partisan Privacy Caucus, to write to Facebook asking for more answers. The social-networking site later defended its policies, and denied that the revelations constituted a privacy breach.
Also last year, Google found itself in the hot seat when a team of researchers found a large sample of Android apps distributing personal data without users' permission. Another report from the Journal subsequently found that Apple iPhone apps were just as guilty, if not worse.