27
Jan
unnamed

Update: According to the Vopium blog, the app has been updated with a fix for this issue.  We'll crack it open in just a bit to ensure everything has indeed been addressed.

Users of the popular VoIP app Vopium (here's the older version with many more installs) may want to put all usage of the app on indefinite hiatus, at least for the time being. It was recently discovered that the app sends basically all of the sensitive information, including username, password, device IMEI, geolocation, and contact list in plaintext.

After doing some of our own analysis, we discovered that the password is stored in the app's settings using plaintext as well (as opposed to at least basic encryption or an auth token - thanks for doing the leg work here, jcase).

Basically, anyone on the same network can simply pull all of the aforementioned information out of the air with a ease using a common packet sniffer. Since the info is sent in plaintext, there's no decoding necessary - it's all ripe for the picking.

So, how should Vopium be handling these requests? By using a secure, encrypted connection, like https. Then, if an "attacker" tried to pull any of the information out of the sky, it's nothing more than a useless jumble.

Not to underplay the severity of the situation, but if you're just sitting at home using it over your protected wireless internet, then you probably have nothing to worry about and it's merely a matter of principle. However, if you use Vopium on an open network or one shared with several people (like at college, for example), then your information is definitely out in the open for any wrong-doer to steal.

Hopefully, Vopium will issue an update as soon as possible that corrects this mistake, but I would have trouble trusting a company whose engineers put out software with such basic flaws again.

Packetstormsecurity via Seclists, thanks inforensique

Cameron Summerson
Cameron is a self-made geek, Android enthusiast, horror movie fanatic, musician, and cyclist. When he's not pounding keys here at AP, you can find him spending time with his wife and kids, plucking away on the 6-string, spinning on the streets, or watching The Texas Chainsaw Massacre on repeat.

  • Deltaechoe

    Oh look another app that can has security that can be defeated by a simple packet sniffer...(good thing i've never used it)

    Thanks AP for keeping the community updated on potential risks to our security, you guys rock

    • http://www.AndroidPolice.com Artem Russakovskii

      Our (unfortunate) pleasure.

  • http://facebook.com/smsmycarandme force

    So does vlingo...

  • inforensique

    They just removed this post they had just around the same time ... http://webcache.googleusercontent.com/search?q=cache:KRmi4GZlPOoJ:blog.vopium.com/2012/01/mobile-security-threats-just-how-deep%E2%80%A6how-viable/+&cd=1&hl=en&ct=clnk

    Company bullshit at its best, read this ! : " The best thing to do, as a company, is what Vopium’s development team does round-the-clock, ensure that security is an embedded feature of the app, rather than letting our customers worry about it."