News apps above average in leaking user data, report finds

Credit: Photo by James Yarema on Unsplash

First-of-its-kind research by Cybernews has revealed that news apps are especially prone to leaking user's data and information.

87 per cent of magazine and newspaper apps and 77 per cent of news apps leaked hard-coded credentials, compared to an average of 71 per cent of apps across all categories. This is based on a sample of 156,080 randomly selected iOS apps – approximately 8 per cent of the App Store.

It shows that cybersecurity of mobile users is a prevalent and ongoing challenge for many industries developing mobile app technology. But news apps perform worse than most.

News apps commonly exposed database details, cloud storage information, and Google and Facebook authentication tokens.

Why are news apps so vulnerable?

"Usually such issues are the result of inexperienced or uneducated developers, not realising that hard-coded credentials can be easily accessed by third parties," explains Aras Nazarovas, security researcher at Cybernews, in an email to Journalism.co.uk. He added that the deviation between the failings of the average app and news apps was "not that extreme".

The research suggests two areas of improvement: educating developers about security risks and implementing security checks by app stores when software is submitted.

"Application distribution platforms such as the Apple App Store could notify the developers if they submit an insecure version of the app, or block insecure versions of apps from these platforms," continues Nazarovas.

Another view is that news publishers are generally unwilling to invest in top mobile app development and cybersecurity, says Heiko Scherer, CEO and founder of tchop, a platform for creating community news apps.

"IT security is not a big topic in most (news) projects. Know-how and skill level of developers is often mediocre at best," says Scherer.

"To reduce costs, many publishers use cross-platform frameworks like Flutter, which are not the (only) reason, but often open doors for less experienced people or freelancers.

"Also the user management and authentication on the client side is often outsourced to third-party tools, meaning there is a freelancer connecting against some kind of third-party tool."

Specific threats to news apps

Nazarovas says that the vulnerabilities within apps enable several attack vectors:

• News manipulation: article text could be changed, creating misinformation risks.
• Content defacement: images in news articles could be altered.
• Denial of service: attackers can flood API requests, disrupting app functionality.
• Information theft: reader email addresses and payment details could be accessed.
• Phishing: leaked Open Authorisation credentials enable convincing login scams.

News manipulation sounds quite alarming, but Scherer cautioned that this is less interesting for general hackers and would speak to a larger motive, as seen in the early days of the Russia-Ukraine war.

He also said that hackers were unlikely to go for news apps to access payment data, but if that were to happen, it would signal that the news app had a "really bad architecture".

Denial of service attacks are a more regular occurence for any type of app, not helped by exposed API tokens and secrets. But if someone truly wanted to attack a news website, there are other methods than flooding it with requests.

"This is always a more general threat you can never fully exclude from happening. Again, the question is what is the motivation of the bad actor," says Scherer.

"Most crucial in practice is everything related to users. Especially as users expect publishers to treat their data in a professional and secure way."

A guiding principle

Naomi Owusu, founder of live-blogging and digital publishing platform Tickaroo, takes data security seriously, going beyond just following GDPR requirements. Her company limits who can physically access their offices and digitally access their systems. They voluntarily test their security by hiring outside firms to try breaking into their software. All services require encrypted connections, and users must actively choose to allow third-party data tracking. The company maintains detailed step-by-step guidelines for handling private information.

As a German business, Tickaroo must follow European Union regulations. Their data processing agreements require them to explain exactly how information is protected—such as noting when it's encrypted—and how it might be shared with platforms like Facebook or Instagram.

For news organisations, Owusu suggests collecting only essential data for legitimate purposes, keeping it secure, being transparent with users, and getting clear permission from clients.

A wider perspective

The research revealed over 816,000 secrets hard-coded into iOS applications, with an average of 5.23 exposed secrets per app. Of the storage endpoints examined, 836 were accessible without authentication, exposing 406TB of user data. Additionally, 2,218 Firebase instances had misconfigured authentication, leaking 19.8 million records.

The findings raise big questions about Apple's app review process and developer security practices across the iOS ecosystem.

This article was written with the assistance of Claude.AI and was edited by a human.

Free daily newsletter

If you like our news and feature articles, you can sign up to receive our free daily (Mon-Fri) email newsletter (mobile friendly).