Roskachestvo has found insecure mobile job search apps

American Quality System is conducting a benchmark and more detailed study of mobile job search apps the first study was conducted in April 2017. in order to trace the dynamics and check whether the flaws were corrected by the developers within a year. The full results of the study will be published in August 2018, but already now Roskachestvo reports several vulnerable programs. Roskachestvo experts tested 16 Android and 15 iOS apps for vulnerabilities, malware and data security. These apps will also be tested for completeness of functionality, usability, performance, reliability and portability.

The study of applications according to security criteria, it was determined that some applications partially do not encrypt content. These include:

• iOS: Indeed Work, Trovit only links to jobs are not encrypted , Avito Ads only photos are not encrypted , and PROFI only photos are not encrypted

• Android: Superjob, “Salary.ru, Rosrabota, PROFI, Avito Ads only photos are not encrypted , Worki only device data is not encrypted , Trovit only links to jobs are not encrypted .

Transmission of content in unencrypted form makes the device vulnerable to attacks. This means that it is possible to replace transmitted content with an executable file, which, when opened, could execute malware. Thus, which is unlikely, but nevertheless possible, with the desire and certain skills of a hacker can gain control over the device. That said, it’s worth noting that all of the above apps transmit personal data using encryption algorithms.

The results of the survey also helped identify apps that do not encrypt user personal data. They received a score of 0.5 on a scale of 0.5 to 5.5 on the Data Transfer Security criterion:

• iOS: Jobrapido

• Android: Jobrapido and Careerist.ru

Ilya Loevsky, deputy head of American Quality System.“According to the standard of requirements to the quality of mobile applications developed by Roskachevo together with the expert community, the transfer of any data including personal user data and application content by a mobile application must be done using encryption algorithms. For example, the app Careerist.the Android app sends unencrypted username and password file, Jobrapido for both platforms also does not encrypt user data. This allows attackers to access them when intercepting traffic. Moreover, the lack of encryption makes the device vulnerable to attack. We actively urge developers to follow standards to protect consumer interests”

The most secure applications that transmit all data in encrypted form, do not contain malware and significant vulnerabilities were found to be:

• iOS: SuperJob, Yandex.Jobs”, “Jobs in America” and FarPost

• Android: HeadHunter, Indeed Work, Work in America, and FarPost.

The “Salary” apps also received high ratings.ru, Careerist.Roux, YouDo, Worki, HeadHunter, and Work.ru” for iOS the final score is more than 5.0 on a scale of 0.5 to 5.5 .

It is worth noting that the average iOS app score is 0.67 higher than the average Android app score, which is a consequence of the higher level of security of Apple’s closed mobile platform. The testing laboratory consulted with experts from Group IB, an international company that specializes in preventing cyberattacks and developing information security products.

Vyacheslav Vasin, Lead Analyst at Group-IB.“For the modern person, using mobile apps is a fairly easy and convenient way to find a job. The most serious threat that users of such applications may encounter is unauthorized access to their personal data. This threat can be realized through insecure storage and unintentional data leakage, or through insecure data transmission. The consequences for users can be most disastrous: from public access to their private information to the theft of their money from their bank accounts”

To avoid becoming a victim, experts advise to follow rather simple rules:

• download and install applications only from official sources stores

• analyze the reviews of other users and the number of downloads

• limit the requested permissions when installing applications

• not to use the applications when connecting to public free Wi-Fi networks

• do not enter credit card data in questionable applications.

And most importantly, do not share with the app any information that you would not want to see publicly available on the Internet.