They also transmits passwords over the Internet without encryption. This is the #3 most important mobile app vulnerability, according to OWASP.
https://samsclass.info/128/proj/abapps.htm
I notified the developer on 1-7-17 and got no response.
I registered an account, and saw the Privacy Policy;
Here's the password stored locally without encryption:
Here's the password being sent over the Internet without encryption:
I registered an account with the password topsecret1:
I connected using SSH over USB and used Unix commands to find the app's local storage directory.
These Unix commands search the local file storage for the Unicode string "topsecret", and find it.
These Unix commands search the local file storage for the Unicode string "topsecret", and find it.
I executed these commands to dump out the local file storing the password in hex.
cd /var/mobile/Applications/0377613C-9B98-4841-A78C-4207316BAC47/Library/WebKit/LocalStorage
ls -l
xxd file__0.localstorage
Here's the password stored locally
without encryption.
I set up an SSL suditing proxy as explained here and captured the login request.
Here's the password being sent over the Internet without encryption: