CollegeHunch iOS App Stores Passwords Insecurely

Background

The CollegeHunch iOS app has a security problem--it stores passwords without encryption on the phone.

I tested this app:

Insecure Storage

Storing passwords without encryption is unacceptable for any app, according to the OWASP https://github.com/OWASP/owasp-masvs, specifically, this item:
2.1 MSTG-STORAGE-1: System credential storage facilities need to be used to store sensitive data, such as PII, user credentials or cryptographic keys.
The Mobile Top 10 2016-M4-Insecure Authentication explanation says:
"...mobile applications should never store a user’s password on the device; Ideally, mobile applications should utilize a device-specific authentication token..."
In 2018, the German chat platform Knuddels.de was fined €20,000 for storing user passwords in plain text.

Testing Method for Local Storage

I found this flaw using OWASP's recommended dynamic testing procedure:
The following steps can be used to determine how the application stores data locally on a jailbroken iOS device:
  1. Trigger the functionality that stores potentially sensitive data.
  2. Connect to the iOS device and navigate to its Bundle directory (this applies to iOS versions 8.0 and above): /var/mobile/Containers/Data/Application/$APP_ID/
  3. Execute grep with the data that you've stored, for example: grep -iRn "USERID".
  4. If the sensitive data is stored in plaintext, the app fails this test.
I used a jailbroken iPhone running iOS 12.4.4 with no passcode.

I created an account. As shown below, the password was stored on the iPhone.

Notification

I sent this message on 1-20-2020:

Posted 1-20-2020 by Sam Bowne