Wandera researchers spotted an app designed to keep users physically safe actually putting them at risk by leaking their information.
PanicGuard is a "24/7 personal security" app that allows users to shake their device in the event of an emergency to set off an alert that sends messages, including the user's location, to a predefined list of contacts and or the proper authorities.
Users are required to enter their first and last names, email address, date of birth, and emergency contact information however, all of this information is transferred in plain text meaning the HTTP connection used to send the information to the app's server is extremely insecure, according to a June 20 blog post.
Transferring sensitive information over HTTP is a known security risk that the app's developers should have avoided and as a result of their error researcher said as many as 100,000 people could be at risk of having their data intercepted.
Wandera took down its original threat alert, posted Tuesday, for 36 hours to allow PanicGuard more time to patch the vulnerability, though the company said it followed responsible disclosure practices and had alerted PanicGuard several times since February 2017. After the initial version of this story was published PanicGuard SC Media it took issue with the security firm's findings but a Wandera spokesperson told SC the stands behind its findings and disclosure practices.
"PanicGuard have been made aware of the issues included in this advisory, and may have since fixed some, or all, of the issues outlined within," Wandera said in their reposted blog.
PanicGuard has since told SC Media they are working with Wandera to address the issues.