Menards Android Apps Password Exposure

Summary

The Menards Android app stores the user's password on the phone without encryption, exposing it to theft.

This is the #2 most important security flaw, according to OWASP.

As discussed here, passwords should not be stored on the phone at all. Because users re-use passwords, they are very sensitive information and handling them carelessly is a disservice to your customers. Locally stored passwords could be stolen by malware on the phone, or by simply stealing the phone itself. Instead, a random cookie should be stored on the phone, which is useless at any other company.

Detailed Tests

Here's the app I tested:

 

Here's the password stored in plaintext on the phone:

Notification

I sent this message on 5-20-17:


Posted 5-20-17 by Sam Bowne