Popular data exchange app "Bump" suffers security lapse

Bump, available for Google's Android and Apple's iPhone, iPod Touch and iPad devices, allows users to share contact information, photos and other data by simply tapping two devices together.

The app was sending private information in the clear, despite the company's claim that it uses secure protocols to transfer information, M.J. Keith, a security researcher with security and compliance solutions provider Alert Logic, who discovered the issue, told SCMagazineUS.com on Monday.

Because the data was not encrypted, an attacker could have used a packet analyzer to read any data that one user transmitted to another, he said.

David Lieb, co-founder and CEO of Bump Technologies, told SCMagazineUS.com in an email Monday that Alert Logic was correct that traffic from some Bump users was being sent over HTTP, instead of HTTPS.

The company has fixed the issue, and within the next few hours, all traffic will run over HTTPS, Lieb said late Monday afternoon EST.

“This temporary lapse was a result of a switchover to a new back-end infrastructure,” he said. “We certainly had no intention of deceiving users.”

The app, launched last year, is wildly popular, having been downloaded 10 million times, according to reports.

“As a Bump user, this does not sit well with me,” Keith wrote in a blog post Monday. “Rather than taking the time to implement something remotely resembling real security, they just lied and hoped no one would notice. That is unethical, and Bump users have a right to know that.”

On its website, Bump says all communications between users' phones and its servers are encrypted using HTTPS.

“When we built Bump, our No.1 one priority was creating the best possible user experience we could,” the website states. “Security of your personal information is a huge part of that experience.”

However, Keith confirmed that Bump for iPhone and Android was transferring data in clear text. He went public with the security issue on Thursday at the HouSecCon conference in Houston, before notifying Bump Technologies about the problem.

“I could have contacted the company explaining the issue, but since they wrote the app, I am sure they already know how it works,” he wrote. “That would have just given them an opportunity to avoid accountability for clearly unethical marketing."

Lieb said that Bump Technologies appreciates that Alert Logic detected the security lapse, but wished researchers had contacted Bump directly so they could have fixed the vulnerability before it was known publicly.

Keith warned that there are many other smartphone applications that are not secure and can expose users' sensitive data.

“The majority of apps are incredibly insecure and don't use any form of encryption,” he said.

Computer and mobile security firm viaForensics recently uncovered flaws in a number of financial apps for iPhone and Android devices. In its analysis, the company found flaws in apps from companies, such as Wells Fargo, Bank of America and USAA, that could allow an attacker to obtain users' passwords.

ViaForensics said it is working with the financial institutions to eliminate the flaws.